Symptoms
-
The following error is found in
/var/log/messages
:setroubleshoot: SELinux is preventing php-fpm from using the block_suspend capability. For complete SELinux messages run: sealert -l 0818edec-e276-414a-aa2b-29264e537dd5
python: SELinux is preventing php-fpm from using the block_suspend capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that php-fpm should have the block_suspend capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012 -
/var/log/audit/audit.log
contains the following errors:type=AVC msg=audit(1507135047.192:8111): avc: denied
{ block_suspend } for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8112): avc: denied { block_suspend }
for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8113): avc: denied
{ block_suspend }
for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capabilit -
SELinux context on
/usr/sbin/php-fpm
file is:# ls -Z /usr/sbin/php-fpm
system_u:object_r:httpd_exec_t:s0 /usr/sbin/php-fpm
Cause
New SELinux system policy was installed, bringing new contexts for system php-fpm (PHP by OS vendor).
“block_suspend” is the ability to prevent system suspends (see Object Classes and Permissions ). Such messages cannot negatively impact a server that is up constantly anyway.
Resolution
-
Connect to the server via SSH .
-
Make sure that tools required to built modules are installed:
# yum install checkpolicy policycoreutils policycoreutils-python -y
-
Create
php-fpm-allow-block-suspend.te
file with the following content:#================================
module php-fpm-allow-block-suspend 1.0.0;
require {
type httpd_t;
class capability2 block_suspend;
}
#============= httpd_t ==============
allow httpd_t self:capability2 block_suspend; -
Compile and install SELinux policy module:
# checkmodule -M -m -o php-fpm-allow-block-suspend.mod php-fpm-allow-block-suspend.te
# semodule_package -o php-fpm-allow-block-suspend.pp -m php-fpm-allow-block-suspend.mod
# semodule -i php-fpm-allow-block-suspend.pp
Additional Information
PHP-FPM daemon set as an unconfined service in Plesk SELinux policies