Knowledge Base

SELinux is preventing php-fpm from using the block_suspend capability

 
installation upgradephpphp fpmplesk for linuxpython

Symptoms

  • The following error is found in /var/log/messages:

    setroubleshoot: SELinux is preventing php-fpm from using the block_suspend capability. For complete SELinux messages run: sealert -l 0818edec-e276-414a-aa2b-29264e537dd5
     python: SELinux is preventing php-fpm from using the block_suspend capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that php-fpm should have the block_suspend capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012

  • /var/log/audit/audit.log contains the following errors:

    type=AVC msg=audit(1507135047.192:8111): avc: denied
     { block_suspend } for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 
     type=AVC msg=audit(1507135065.209:8112): avc: denied { block_suspend } 
     for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2 
     type=AVC msg=audit(1507135065.209:8113): avc: denied 
     { block_suspend } 
     for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capabilit

  • SELinux context on /usr/sbin/php-fpm file is:

    # ls -Z /usr/sbin/php-fpm
    system_u:object_r:httpd_exec_t:s0 /usr/sbin/php-fpm

Cause

New SELinux system policy was installed, bringing new contexts for system php-fpm (PHP by OS vendor).
“block_suspend” is the ability to prevent system suspends (see Object Classes and Permissions ). Such messages cannot negatively impact a server that is up constantly anyway.

Resolution

  1. Connect to the server via SSH .

  2. Make sure that tools required to built modules are installed:

    # yum install checkpolicy policycoreutils policycoreutils-python -y

  3. Create php-fpm-allow-block-suspend.te file with the following content:

    #================================
     
     module php-fpm-allow-block-suspend 1.0.0; 
     
     require { 
     type httpd_t; 
     class capability2 block_suspend; 
     } 
     
     #============= httpd_t ============== 
     
     allow httpd_t self:capability2 block_suspend;

  4. Compile and install SELinux policy module:

    # checkmodule -M -m -o php-fpm-allow-block-suspend.mod php-fpm-allow-block-suspend.te
    # semodule_package -o php-fpm-allow-block-suspend.pp -m php-fpm-allow-block-suspend.mod
    # semodule -i php-fpm-allow-block-suspend.pp

Additional Information

PHP-FPM daemon set as an unconfined service in Plesk SELinux policies

Read the full article
Related Posts
Knowledge Base

Industry
Partners

industry-partner_ALIBABA
industry-partner_GOOGLEPARTNER
industry-partner_MICROSOFT
industry-partner_REDHAT-r2
industry-partner_ALIBABA
industry-partner_AUTOMATTIC
industry-partner_AWS
industry-partner_DIGITALOCEAN
industry-partner_SCALEWAY

Follow us:

Facebook Twitter Linkedin Youtube Github

© 2021 Plesk International GmbH. All rights reserved. Plesk and the Plesk logo are trademarks of Plesk International GmbH.

Managed with 💙  with Plesk WordPress Toolkit

Search
Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt