I recently had to put up a blog running the WordPress system. There are a lot of things I like about WordPress and in general the difficulty in getting the site up and running was low.
The problem came about when an image was needed on the site. The software gave me the infamous “Is its parent directory writable by the server” message. After confirming the permissions where correct I began to dig deeper. It turned out that SELinux was causing an access denied message.
After much research on the matter, I learned a few things. First, most people simply turn off (example, example, example) SELinux. That was not an option for me. I want the extra contextual security provided. Second, it was not a WordPress problem, or even an SELinux problem. In reality, it’s simply a configuration setting put in place to make unauthorized uploads less likely.
It turns out that the security policy will only allow the httpd service to upload to the /tmp directory. Examination of that directory shows that the context includes tmp_t. That is the ticket that got things working for me. Here’s my solution to this issue:
- Change directory to the wp-content directory of the WordPress software.
- Made the uploads folder manually.
- Changed the owner of uploads to the appropriate user that apache runs as (as root).
chown httpuser:httpuser uploads
- Changed permissions to allow the apache user to write to the directory (as root).
chmod 755 uploads
- Changed the SE context of the directory to allow httpd to upload file (as root).
chcon -t tmp_t uploads
That did it. Not terribly difficult, but there is not a lot of concise documentation to be found when looking for this problem. It is very possible that there is a better way to accomplish these results, and if you know that it is please let me know! I can say that my configuration is working today and, at least so far, everything seems to be working fine and as secure as it can be.
The final output of ls -Z for the uploads directory should look something like this:
drwxr-xr-x httpd httpd root:object_r:tmp_t uploads