Close [x]

SELinux and iptables

Edit this page on GitHub

SELinux

Security Enhanced Linux (SELinux) enables CentOS and Ubuntu administrators greater access control over their servers. If you鈥檙e using SELinux and Apache must initiate a connection to another host, you must run the commands discussed in this section.

Magento has no recommendation about using SELinux; you can use it for enhanced security if you wish. If you use SELinux, you must configure it properly or the Magento application will function unpredictably. If you choose to use SELinux, consult a resource like the CentOS wiki to set up rules to enable communication.

Suggestion for installing the Magento software with Apache

If you choose to enable SELinux, you might have issues running the installer unless you change the security context of some directories as follows:

chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/app/etc
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/var
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/pub/media
chcon -R --type httpd_sys_rw_content_t <your Magento install dir>/pub/static

The preceding commands work only with the Apache web server. Because of the variety of configurations and security requirements, we don鈥檛 guarantee these commands work in all situations. For more information, see:

Enable inter-server communication

If Apache and the database server are on the same host, you can skip this section and continue with Opening Ports In Your Firewall.

To enable Apache to initiate a connection to another host with SELinux enabled:

  1. To determine if SELinux is enabled, use the following command:

    getenforce
    

    Enforcing displays to confirm that SELinux is running.

  2. Enter one of the following commands:

    CentOS: setsebool -P httpd_can_network_connect=1

    Ubuntu: setsebool -P apache2_can_network_connect=1

Opening Ports In Your Firewall

Depending on your security requirements, you might find it necessary to open port 80 and other ports in your firewall. Because of the sensitive nature of networking security, Magento strongly recommends you consult with your IT department before proceeding. Following are some suggested references: