Selinux blocks wordpress in CentOS 6.3
I installed wordpress 3.5 to CentOS 6.3 using command:
yum install wordpress
and started httpd. Now I can see the following error in apache log:
PHP Fatal error: require_once(): Failed opening required '/usr/share/wordpress/wp-includes/class-simplepie.php' (include_path='.:/usr/share/pear:/usr/share/php') in /usr/share/wordpress/wp-includes/class-feed.php on line 4, referer: http://www.mycompany.com/wp-admin/
I guess that that's because of SELinux:
ls -Z /usr/share/wordpress/wp-includes/class-simplepie.php
lrwxrwxrwx. root root system_u:object_r:usr_t:s0 class-simplepie.php -> /usr/share/php/php-simplepie
ls -Z /usr/share/php/php-simplepie
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 autoloader.php
drwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 SimplePie
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 SimplePie.php
I wonder if there is a way to let it work without disabling SELinux?
Solution 1:
It looks like your files have the wrong SELinux security contexts. When I install the php-simplepie
package (it appears to come from EPEL) and inspect those files, they all have the usr_t
type, rather than user_home_t
.
Try fixing the security labels:
restorecon -r -v /usr/share/php/php-simplepie
Solution 2:
If you want to verify it is SElinux turn SE linux off with setenforce 0 or check the audit.log. I think it is in /var/log/audit/audit/log but I'm not 100% sure. Once you know for sure it is SELinu you can turn SElinux back on.
If it is SElinux then the thing to do is use semanage
set the selinux policy so that all of the dirs where your PHP content is to httpd_sys_rw_content_t
semanage fcontext -a -t httpd_sys_rw_content_t </path/to/php/dir>
Then apply that policy using restorecon
to the dir(s) and their children files/dirs:
restorecon -R </path/to/php/dir>
If semanage/restorecon
are not installed install the policycoreutils-python
package.
BTW if you want to view the default file contexts in the policy you can do that with:
semanage fcontext -l
However it may not be SELinux. I believe that out of the box apache on most redhat distros won't follow symlinks (although I thoiugh you got an error that said something about not follwoing symlinks when that was the case), so you may need to add:
Options FollowSymLinks
To the apache config and restart apache.
Of course it might be both selinux and not following symlinks.