Last updated July 21, 2016. Created on August 24, 2009.
Edited by izus,, craig.norris, Screenack. Log in to edit this page.

To install on a Fedora-based distro (RHEL, CentOS, etc.) there are two main options:

  • Install from the repository through a yum install drupal command. (In Fedora 23, it is dnf install drupal7)
  • Install it yourself.

The installation instructions will vary a bit depending on your choice, as will the version you wind up with in some cases.

To be compliant with FHS guidelines on architecture independent system components ( vs transient data placement ( and to enforce Fedora-ish system segregation Fedora and its derivatives place the code part of systems like Drupal and WikiMedia in /usr/share and the data elements (like files/ and images/) in /var/www. These parts are bound together through a series of symlinks, as the original development concept behind Drupal and other such systems did not take the FHS into account (there is a pretty big generation/culture gap between core Unix developers and web developers -- and embedding code to this extent inside of what used to be public data files (.html files becoming .php files and totally bypassing cgi-bin) was never thought of when the FHS was originally conceived). This can be confusing for newcomers.

In either case, the placement of the Drupal code (all those .php files) in the filesystem is irrelevant to the function of SELinux. Apache's daemon, httpd, has a context group within the Fedora SELinux policy structure. Any files or directories that Apache needs to interact with must be placed in an httpd_* type context. Yum will handle this for you if you do a yum install drupal install and the stickiness of the /var/www filesystem hierarchy will do it for you if you unpack it directly into a sub-directory there. However, installation cases outside of this where SELinux is set to enforce but the default SELinux policies are either grossly underdeveloped (Ubuntu, for example) or nonexistant (Slackware / LFS + SELinux -- yes, some people do this) will have to make the change on their own:

chcon -R -t httpd_sys_content_t /path/to/drupal/files

The other area where SELinux can trip one up is basic policy permissions for allowing Apache to do things like send email (to prevent compromised systems from becoming proxy spam-generators -- a problem far more common than most Ubuntu new administrators seem to be aware), make calls across network sockets to database servers (a wonderful way to bypass password protections and steal user data from a site), or directly alter files on behalf of scripts (an entry to the first two). To enable this small list of abilities but keep your system otherwise locked down with an SELinux policy set to "enforce" run the following three commands:

# setsebool -P httpd_can_network_connect_db=1
# setsebool -P httpd_can_sendmail=1
# setsebool -P httpd_unified=1

Unfortunately, in an excited rush to get things up quickly most people who opt for the increased security that SELinux provides by choosing a Fedora-based distro usually toss all their gains at the first sign of SELinux conflicts by turning SELinux off instead of digging further (because learning 4 more file security attributes is hard -- and admittedly, SELinux is rarely explained so simply in currently available resources).

Outside of granting Apache permission to do things Drupal needs to work correctly (those three setsebool commands) and then telling SELinux where these permissions should apply (the chcon command above), the installation process is no different from any other system. It is useful to remember if you run into an FHS-compliant installation where /var/www/html/drupalxx is largely empty but for a few symlinks and data folders (like config/) that all of the code is over in /usr/share and conceptually nothing has really changed.

Also, if you use LDAP, you may be interested:
# setsebool httpd_can_connect_ldap on

tl;dr reference:

Looking for support? Visit the forums, or join #drupal-support in IRC.


zxq9’s picture

[Update: Now I have the "edit" button so I went ahead and edited the page directly.]
If anything in my blurb above is incorrect please contact me (and of course correct the page!). There is always more to learn about SELinux and always better ways to do nearly anything. If anyone wants to engage in a bike shed argument over FHS and Fedora's placement of architecture independent code modules, however, save your keyboard the wear and remember isn't the place for that sort of thing.

gittosj’s picture

Using Centos 5.6 and SE linux I had to add some permissions to allow files / directories to be written to /sites/default/files as follows.

chcon -R -t httpd_sys_script_rw_t:s0 [drupal_path]/sites/default/files/

where [drupal_path] is wherever you have your base drupal install and then set the appropriate boolean to allow php to write files:

setsebool -P httpd_builtin_scripting 1

"Chcon" will only last to the next reboot / relabel (I think!) so I added the change in permission to the default policy as follows:

semanage fcontext -a -t httpd_sys_script_rw_t "/var/www/html/sites/default/files(/.*)?"

You can check the permissions you've set by doing

ls -lZ [drupal-path]
ls -lZ [drupal-path]/sites/default/files

I went one further by relabelling the directories to check everything would be OK after a reboot / power outage (which is probably paranoid since I think the /var/www/html directory don't get relabelled - something to do with customizable types(?) but did this anyway:

restorecon -RFv /var/www/html/

and all looked fine afterwards & functioning....

This seemed to work for me - all now running OK but tread carefully and read up lots - you can hose your system and I'll refuse to take the blame! its worth reading some of the selinux docs to get an understaning of how the whole thing works, before leaping in....

Quick edit / addition: using the boost module, I had to make the same changes to the cache directory so:

chcon -R -t httpd_sys_script_rw_t [drupal_path]/cache


semanage fcontext -a -t httpd_sys_script_rw_t "[drupal_path]cache(/.*)?"