Nginx
允許使用 nginx/php-fpm 在 EL8 中使用 SELinux 升級 Wordpress
我正在嘗試允許直接在 Web 界面上使用 Wordpress 升級(不是外掛更新)。
除了這個特性之外,我已經讓 SELinux 可以工作。當試圖確定應該允許的內容時,我無法準確找到需要更改的內容,而不是將整個重新標記
/path/to/wordpress/directory
為unconfined_u:object_r:httpd_sys_rw_content_t:s0
以下是我嘗試通過 Web 界面升級時發生的情況:
==> /var/log/nginx/kosen.energy.access.log <== 172.21.1.28 - - [22/Jul/2021:14:21:27 -0300] "POST /wp-cron.php?doing_wp_cron=1626974487.4410700798034667968750 HTTP/1.0" 200 0 "https://kosen.energy/wp-cron.php?doing_wp_cron=1626974487.4410700798034667968750" "WordPress/5.7.2; https://kosen.energy" 172.21.1.28 - - [22/Jul/2021:14:21:29 -0300] "GET /wp-admin/update-core.php HTTP/1.0" 200 155053 "https://kosen.energy/wp-admin/update-core.php?action=do-core-upgrade" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.1 Safari/605.1.15" ==> /var/log/audit/audit.log <== type=AVC msg=audit(1626974498.501:10696): avc: denied { write } for pid=9658 comm="php-fpm" name="update-core.php" dev="dm-0" ino=101266980 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0 ==> /var/log/nginx/error.log <== 2021/07/22 14:21:38 [error] 9646#0: *38349 FastCGI sent in stderr: "PHP message: PHP Warning: copy(/var/www/html/kosen.energy/wp-admin/includes/update-core.php): failed to open stream: Permission denied in /var/www/html/kosen.energy/wp-admin/includes/class-wp-filesystem-direct.php on line 309" while reading upstream, client: 172.21.1.28, server: _, request: "POST /wp-admin/update-core.php?action=do-core-upgrade HTTP/1.0", upstream: "fastcgi://unix:/run/php-fpm/www.sock:", host: "kosen.energy", referrer: "https://kosen.energy/wp-admin/update-core.php" ==> /var/log/nginx/kosen.energy.access.log <== 172.21.1.28 - - [22/Jul/2021:14:21:38 -0300] "POST /wp-admin/update-core.php?action=do-core-upgrade HTTP/1.0" 200 150059 "https://kosen.energy/wp-admin/update-core.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.1.1 Safari/605.1.15"
在我
wp-config.conf
已經有了FS_METHOD
:direct
/** Enable proper support for updates without FTP/FTPS. */ define('FS_METHOD', 'direct');
php-fpm
已經以nginx
使用者身份執行:[root@kosen kosen.energy]# grep user /etc/php-fpm.d/www.conf | grep -v \; user = nginx listen.acl_users = apache,nginx
附加資訊:
[root@kosen kosen.energy]# rpm -qa | egrep "php-fpm|nginx" nginx-mod-http-xslt-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64 nginx-mod-http-image-filter-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64 nginx-mod-http-perl-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64 nginx-mod-mail-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64 nginx-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64 nginx-all-modules-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch nginx-filesystem-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.noarch nginx-mod-stream-1.14.1-9.0.1.module+el8.0.0+5347+9282027e.x86_64 php-fpm-7.4.6-4.module+el8.3.0+7685+72d70b58.x86_64
謝謝。
所有 WordPress 文件都必須是可寫的,才能使用管理網頁的升級功能。我不這樣做;我使用
wp
命令直接在伺服器上升級 WordPress。wp core update wp core update-db