Updating WordPress on CentOS with enabled SELinux – Noobient
Menu

Updating WordPress on CentOS with enabled SELinux

In my earlier post I explained how to install WordPress on CentOS. It’s all good until you get the first update notification for WordPress itself:

But if you click on that Update Now button, guess what happens:

Of course, you want FTP credentials, what else?

To perform the requested action, WordPress needs to access your web server. Please enter your FTP credentials to proceed.

Indicating WordPress is having trouble overwriting itself. After reading the SELinux Crash Course, let’s take a look around!

[[email protected] ~]# ls -alZ /var/www/html/wordpress/
drwxr-xr-x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 .
drwxr-xr-x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 ..
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 index.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 info.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 license.txt
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 readme.html
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-activate.php
drwxr-xr-x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-admin
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-blog-header.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-comments-post.php
-rw-r--r--. root  root  unconfined_u:object_r:httpd_sys_content_t:s0 wp-config.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-config-sample.php
drwxr-xr-x. nginx nginx unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-content
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-cron.php
drwxr-xr-x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-includes
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-links-opml.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-load.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-login.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-mail.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-settings.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-signup.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 wp-trackback.php
-rw-r--r--. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 xmlrpc.php

So it seems all content is read-only… except for wp-content. But why’s that?

[[email protected] ~]# semanage fcontext -l | grep /var/www | grep wp
/var/www/html(/.*)?/wp-content(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0
/var/www/html(/.*)?/wp_backups(/.*)?               all files          system_u:object_r:httpd_sys_rw_content_t:s0

Bingo. You could update plugins and themes because there’s a predefined policy to allow HTTP servers write to wp-content. But there isn’t any for the root folder. So what do you do? You don’t want to permanently allow writes to your document root, but you can allow that just for a little while:

chcon -R unconfined_u:object_r:httpd_sys_rw_content_t:s0  /var/www/html/wordpress

Now try again with that Update Now button:

That’s more like it. Once finished, make sure to restore the read-only state:

restorecon -rv /var/www/html

And all is well. Cheers!

Tags: , ,