Knowledge Base

SELinux is preventing php-fpm from using the block_suspend capability

 
installation upgradephpphp fpmplesk for linuxpython

Symptoms

  • The following error is found in /var/log/messages:

    setroubleshoot: SELinux is preventing php-fpm from using the block_suspend capability. For complete SELinux messages run: sealert -l 0818edec-e276-414a-aa2b-29264e537dd5
     python: SELinux is preventing php-fpm from using the block_suspend capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that php-fpm should have the block_suspend capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012

  • /var/log/audit/audit.log contains the following errors:

    type=AVC msg=audit(1507135047.192:8111): avc: denied
     { block_suspend } for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 
     type=AVC msg=audit(1507135065.209:8112): avc: denied { block_suspend } 
     for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 
     type=AVC msg=audit(1507135065.209:8113): avc: denied 
     { block_suspend } 
     for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capabilit

  • SELinux context on /usr/sbin/php-fpm file is:

    # ls -Z /usr/sbin/php-fpm
    system_u:object_r:httpd_exec_t:s0 /usr/sbin/php-fpm

Cause

New SELinux system policy was installed, bringing new contexts for system php-fpm (PHP by OS vendor).
“block_suspend” is the ability to prevent system suspends (see Object Classes and Permissions ). Such messages cannot negatively impact a server that is up constantly anyway.

Resolution

  1. Connect to the server via SSH .

  2. Make sure that tools required to built modules are installed:

    # yum install checkpolicy policycoreutils policycoreutils-python -y

  3. Create php-fpm-allow-block-suspend.te file with the following content:

    #================================
     
     module php-fpm-allow-block-suspend 1.0.0; 
     
     require { 
     type httpd_t; 
     class capability2 block_suspend; 
     } 
     
     #============= httpd_t ============== 
     
     allow httpd_t self:capability2 block_suspend;

  4. Compile and install SELinux policy module:

    # checkmodule -M -m -o php-fpm-allow-block-suspend.mod php-fpm-allow-block-suspend.te
    # semodule_package -o php-fpm-allow-block-suspend.pp -m php-fpm-allow-block-suspend.mod
    # semodule -i php-fpm-allow-block-suspend.pp

Additional Information

PHP-FPM daemon set as an unconfined service in Plesk SELinux policies

Read the full article
Related Posts
Knowledge Base

Hosting Wiki

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2023 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with love with Plesk WP Toolkit

Plesk uses LiveChat system (3rd party).

By proceeding below, I hereby agree to use LiveChat as an external third party technology. This may involve a transfer of my personal data (e.g. IP Address) to third parties in- or outside of Europe. For more information, please see our Privacy Policy.

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt