Thursday, November 20, 2014

SELinux: Allowing HTTPD to Connect to PHP-FPM

When running PHP-FPM (PHP FastCGI Process Manager), it can be configured to listen on a UNIX socket, or a TCP port. When using the latter on an SELinux enabled system, you will receive HTTP 500 Internal Server Errors if SELinux is not configured correctly.

For example, on my system, I’m using the following directive (in my example.com VirtualHost):

FastCGIExternalServer /var/www/www.example.com/htdocs/cgi-bin/php5.fcgi -host 127.0.0.1:9000

However, the default value of the httpd_can_network_connect SELinux boolean is false, or off. Therefore, httpd is unable to connect to the PHP-FPM pool listening on 127.0.0.1:9000.

You will see AVC denial messages in /var/log/audit/audit.log such as:

type=AVC msg=audit(1373344647.677:17670): avc: denied { name_connect } for pid=24124 comm="httpd" dest=9000
scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

To fix this issue, set the httpd_can_network_connect SELinux boolean to true, or on, remembering the -P option so that this change persists across system reboots:

# setsebool -P httpd_can_network_connect 1

http://www.tokiwinter.com/selinux-allowing-httpd-to-connect-to-php-fpm/

No comments: