The mindless ramblings of a bow shooting network engineer.
WordPress, BackWPUP and SELINUX

WordPress, BackWPUP and SELINUX

I’ve been using the BackWPup plugin to back up my WordPress sites after a recent mishap. It seems to be one of the best free plugins that will take a full backup of a WordPress site. It not only backs up the backend database but also the entire file system.

One of the best things about this plugin, in my opinion, is the number of options you get for what to do with this backup file. My personal favourites is the backup to Dropbox option. Another useful one is the backup to an FTP server, and this is the one that causes most problems.

If like me you’re paranoid about security, you have probably have SELinux on your server and running in enforcing mode. Now, I’m not a big fan of SELinux and that’s mainly because I don’t fully understand how it works. On the other hand, I’m not a big fan of just disabling it or setting it to permissive either, being the paranoid server operator I am.

If you have SELinux enabled and try to set BackWPup to backup to FTP you’ll find that you get repeated errors in the backup log file stating that it can’t connect to the FTP server. Don’t waste your time looking at the FTP server configuration or any firewall rules that may be protecting the FTP server.

Here’s how to fix the problem:

Check the SELinux settings for apache.

/usr/sbin/getsebool -a | grep httpd

It should return a list that looks something like this:

allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_verify_dns --> off

The one we’re interested in is this one

httpd_can_network_connect --> off

This needs to be turned on. To do this execute the following command:

setsebool -P httpd_can_network_connect on

This should now allow BackWPup to connect to the FTP server and backup your site successfully.

Sometimes this setting change requires a server reboot. I’ve had mixed results, sometimes you need to reboot and sometimes you don’t. If it doesn’t work immediately, give your box a reboot.

I hope this will save a few people some time that I won’t be getting back.


One comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.