Selinux blocks wordpress in CentOS 6.3

I installed wordpress 3.5 to CentOS 6.3 using command:

yum install wordpress

and started httpd. Now I can see the following error in apache log:

PHP Fatal error: require_once(): Failed opening required '/usr/share/wordpress/wp-includes/class-simplepie.php' (include_path='.:/usr/share/pear:/usr/share/php') in /usr/share/wordpress/wp-includes/class-feed.php on line 4, referer: http://www.mycompany.com/wp-admin/

I guess that that's because of SELinux:

ls -Z /usr/share/wordpress/wp-includes/class-simplepie.php 
lrwxrwxrwx. root root system_u:object_r:usr_t:s0 class-simplepie.php -> /usr/share/php/php-simplepie

ls -Z /usr/share/php/php-simplepie
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 autoloader.php
drwxr-xr-x. root root unconfined_u:object_r:user_home_t:s0 SimplePie
-rw-r--r--. root root unconfined_u:object_r:user_home_t:s0 SimplePie.php

I wonder if there is a way to let it work without disabling SELinux?


Solution 1:

It looks like your files have the wrong SELinux security contexts. When I install the php-simplepie package (it appears to come from EPEL) and inspect those files, they all have the usr_t type, rather than user_home_t.

Try fixing the security labels:

restorecon -r -v /usr/share/php/php-simplepie

Solution 2:

If you want to verify it is SElinux turn SE linux off with setenforce 0 or check the audit.log. I think it is in /var/log/audit/audit/log but I'm not 100% sure. Once you know for sure it is SELinu you can turn SElinux back on.

If it is SElinux then the thing to do is use semanage set the selinux policy so that all of the dirs where your PHP content is to httpd_sys_rw_content_t

semanage fcontext -a -t httpd_sys_rw_content_t  </path/to/php/dir>

Then apply that policy using restorecon to the dir(s) and their children files/dirs:

restorecon -R </path/to/php/dir>

If semanage/restorecon are not installed install the policycoreutils-python package.

BTW if you want to view the default file contexts in the policy you can do that with:

semanage fcontext -l

However it may not be SELinux. I believe that out of the box apache on most redhat distros won't follow symlinks (although I thoiugh you got an error that said something about not follwoing symlinks when that was the case), so you may need to add:

Options FollowSymLinks

To the apache config and restart apache.

Of course it might be both selinux and not following symlinks.