I was frustrated with the number of tutorials for installing WordPress on Linux that says to simply turn SELinux off. This is an unacceptable workaround. It’s simply lazy administration. SELinux is not designed to make your job harder (although it can do that real easily), it’s there to make your system safer.
I scoured the internet and pieced together bits of information from several sources to put together a tutorial that walks you through how to install WordPress while keeping SELinux turned on.
It took a lot of reading to understand SELinux, but once you understand it, it makes a whole lot more sense.
Apache
Install the required packages:
sudo yum -y install httpd sudo systemctl enable httpd
Modify apache config to allow mod_rewrite:
sudo sed -i /etc/httpd/conf/httpd.conf -e 's/AllowOverride None/AllowOverride All/g'
Open necessary firewall ports:
sudo firewall-cmd --add-service=http --permanent sudo systemctl restart firewalld
Start apache:
sudo systemctl start httpd
If you are behind a reverse proxy such as varnish or a web application firewall, you will want to modify your apache configuration to log x-forwarded-for IPs to make the logs more meaningful:
sudo sed -i /etc/httpd/conf/httpd.conf -e 's/%h/%{X-Forwarded-For}i/g'MariaDB
Install:
sudo yum -y install mariadb-server mariadb sudo systemctl enable mariadb
Let’s do the SELinux magic for the DB.
sudo semodule -i mariadb-server.pp sudo semanage fcontext --list | grep mysqld_db_t sudo semanage fcontext -a -t mysqld_db_t "/var/lib/mysql(/.*)?" sudo restorecon -Rv /var/lib/mysql sudo semanage fcontext -a -t mysqld_log_t "/var/log/mysql(/.*)?" sudo restorecon -Rv /var/log/mysql sudo semanage fcontext -a -t mysqld_log_t "/var/log/mariadb(/.*)?" sudo restorecon -Rv /var/log/mariadb
Run initial MariaDB configuration to set the database root password
sudo systemctl start mariadb sudo mysql_secure_installation
Create a WordPress database and user:
Please do NOT use this as a username…
mysql -u root -p #enter your mysql root password here create user wordpress; create database wordpress; GRANT ALL PRIVILEGES ON wordpress.* To 'wordpress'@'localhost' IDENTIFIED BY 'password'; quit;
WordPress
Install PHP and restart apache
sudo yum -y install php php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl sudo systemctl restart httpd
Configure base WordPress directory
Download, extract, and set permissions for your WordPress installation:
(manual instructions for WordPress below)
wget https://wordpress.org/latest.zip sudo unzip latest.zip -d /var/www/html sudo chown apache:apache -R /var/www/html/wordpress
Change the Apache document root so you don’t need to tack /wordpress at the end of the url:
sudo sed -i /etc/httpd/conf/httpd.conf -e 's/DocumentRoot \"\/var\/www\/html/&\/wordpress/g' sudo systemctl restart httpd
Configure upload directory
If you want users to upload content, then you will want to assign the http_sys_rw_content_t selinux security context for the wp-uploads directory (create it if it doesn’t exist)
sudo mkdir /var/www/html/wordpress/wp-content/uploads sudo chown apache:apache /var/www/html/wordpress/wp-content/uploads sudo semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/wordpress/wp-content/uploads(/.*)?" sudo restorecon -Rv /var/www/html/wordpress/wp-content/uploads
Run the wizard
In order for the wizard to run properly, we need to temporarily give the WordPress directory httpd_sys_rw_content_t selinux context
sudo chcon -t httpd_sys_rw_content_t /var/www/html/wordpress/
Now navigate to your new website in a browser and follow the wizard, which will create a wp-config.php file inside the WordPress directory. Once your site is properly set up, restore the original security context for the WordPress directory:
sudo restorecon -v /var/www/html/wordpress/
Success! Everything is working within the proper SELinux contexts.
