Pale Musings

Thoughts from a mind twisted by tech and sports

How to allow WordPress to upload images on an SELinux enabled server

I recently had to put up a blog running the WordPress system. There are a lot of things I like about WordPress and in general the difficulty in getting the site up and running was low.

The problem came about when an image was needed on the site. The software gave me the infamous “Is its parent directory writable by the server” message. After confirming the permissions where correct I began to dig deeper. It turned out that SELinux was causing an access denied message.

After much research on the matter, I learned a few things. First, most people simply turn off (example, example, example) SELinux. That was not an option for me. I want the extra contextual security provided. Second, it was not a WordPress problem, or even an SELinux problem. In reality, it’s simply a configuration setting put in place to make unauthorized uploads less likely.

It turns out that the security policy will only allow the httpd service to upload to the /tmp directory. Examination of that directory shows that the context includes tmp_t. That is the ticket that got things working for me. Here’s my solution to this issue:

  1. Change directory to the wp-content directory of the WordPress software.
  2. Made the uploads folder manually.
    mkdir uploads
  3. Changed the owner of uploads to the appropriate user that apache runs as (as root).
    chown httpuser:httpuser uploads
  4. Changed permissions to allow the apache user to write to the directory (as root).
    chmod 755 uploads
  5. Changed the SE context of the directory to allow httpd to upload file (as root).
    chcon -t tmp_t uploads

That did it. Not terribly difficult, but there is not a lot of concise documentation to be found when looking for this problem. It is very possible that there is a better way to accomplish these results, and if you know that it is please let me know! I can say that my configuration is working today and, at least so far, everything seems to be working fine and as secure as it can be.

The final output of ls -Z for the uploads directory should look something like this:

drwxr-xr-x httpd httpd root:object_r:tmp_t uploads

Cheers.


January 24, 2008 - Posted by palehorse | Blogging, Linux, Operating Systems

3 Comments »

  1. You can try chcon -t httpd_tmp_t uploads

    Comment by wei | September 25, 2008 | Reply

  2. SELinux is all about labelling. There is a label on every process and a label on every file/directory. Then there are rules governing the access between the process label and the file/directory label.

    If SELinux is complaining, it is usually an issue with labeling.

    man httpd_selinux

    Gives a good explanation on setting up labelling for apache in SELinux.

    http://docs.fedoraproject.org/selinux-managing-confined-services-guide/en-US/F11/html/

    This guide also explains setting up different services.

    Comment by Dan Walsh | January 11, 2010 | Reply

    • Nice link to the guide Dan, thank you!

      Comment by palehorse | January 11, 2010 | Reply


Leave a comment

« Previous | Next »