Score:0

Allow Wordpress upgrades with SELinux in EL8 with nginx/php-fpm

vn flag

I'm trying to allow the use of Wordpress upgrades (not plugin updates) directly on the web interface.

I already have SELinux working for everything except this feature. When trying to nail down what should be allowed I'm unable to exactly find what need to be changed instead of relabeling the entire /path/to/wordpress/directory to unconfined_u:object_r:httpd_sys_rw_content_t:s0

Here's whats happening when I try to upgrade via the web inteface:

==> /var/log/nginx/kosen.energy.access.log <==
172.21.1.28 - - [22/Jul/2021:14:21:27 -0300] "POST /wp-cron.php?doing_wp_cron=1626974487.4410700798034667968750 HTTP/1.0" 200 0 "https://kosen.energy/wp-cron.php?doing_wp_cron=1626974487.4410700798034667968750" "WordPress/5.7.2; https://kosen.energy"
172.21.1.28 - - [22/Jul/2021:14:21:29 -0300] "GET /wp-admin/update-core.php HTTP/1.0" 200 155053 "https://kosen.energy/wp-admin/update-core.php?action=do-core-upgrade" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.1 Safari/605.1.15"

==> /var/log/audit/audit.log <== type=AVC msg=audit(1626974498.501:10696): avc:  denied  { write } for  pid=9658 comm="php-fpm" name="update-core.php" dev="dm-0" ino=101266980 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0

==> /var/log/nginx/error.log <== 2021/07/22 14:21:38 [error] 9646#0: *38349 FastCGI sent in stderr: "PHP message: PHP Warning:  copy(/var/www/html/kosen.energy/wp-admin/includes/update-core.php): failed to open stream: Permission denied in /var/www/html/kosen.energy/wp-admin/includes/class-wp-filesystem-direct.php on line 309" while reading upstream, client: 172.21.1.28, server: _, request: "POST /wp-admin/update-core.php?action=do-core-upgrade HTTP/1.0", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "kosen.energy", referrer: "https://kosen.energy/wp-admin/update-core.php"

==> /var/log/nginx/kosen.energy.access.log <==
172.21.1.28 - - [22/Jul/2021:14:21:38 -0300] "POST /wp-admin/update-core.php?action=do-core-upgrade HTTP/1.0" 200 150059 "https://kosen.energy/wp-admin/update-core.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.1 Safari/605.1.15"

On wp-config.conf I already have FS_METHOD as direct:

/** Enable proper support for updates without FTP/FTPS. */
define('FS_METHOD', 'direct');

php-fpm is already running as the nginx user:

[root@kosen kosen.energy]# grep user /etc/php-fpm.d/www.conf | grep -v \;
user = nginx
listen.acl_users = apache,nginx

Additional info:

[root@kosen kosen.energy]# rpm -qa | egrep "php-fpm|nginx"
nginx-mod-http-xslt-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64
nginx-mod-http-image-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64
nginx-mod-http-perl-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64
nginx-mod-mail-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64
nginx-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64
nginx-all-modules-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch
nginx-filesystem-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch
nginx-mod-stream-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64
php-fpm-7.4.6-4.module+el8.3.0+7685+72d70b58.x86_64

Thanks.

Score:1
cz flag

All of WordPress files would have to be writable in order to use the upgrade function from the admin web page. I do not do this; I use wp command to upgrade WordPress directly on the server.

wp core update
wp core update-db
vn flag
I have to add wp-cli to use this functionality right? Do you have any solution when you administer the server but a common user (non sysadmin) is the one who maintains the Wordpress page? Thanks!
Michael Hampton avatar
cz flag
Yes, this is wp-cli. The user can run it themselves when the files are owned by them (as they probably should be).
vn flag
I'm marking as the right answer because that's a good ideia to the problem. Regarding the user permission, as today we have it running under nginx:nginx, you're saying that I should create an user and them chown to user:nginx all the files? But again, I'll have to educate the user, since ssh is not a thing that they know.
Michael Hampton avatar
cz flag
Right, nginx does not need full permissions to the files, it just needs to be able to read them. php-fpm must be able to write to the uploads directory. All the rest can be owned by the user.
vn flag
I'll do that way, thank you Michael!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.