If you are having trouble getting your web server to work or starting services on the system, SELinux could be at fault.
Diagnose problems caused by SELinux
Two major factors can contribute to a service not functioning properly:
- inappropriate SELinux security labels on files and directories,
- inappropriate SELinux rules applied to Unix system resources such as TCP sockets.
Get status of the malfunctioning service
First you need to get the status output for the malfunctioning service (or look up the logs). For example, for PHP 7 that delivers a 404 error in NGINX:
# systemctl status -l php70-php-fpm.service ● php70-php-fpm.service - The PHP FastCGI Process Manager Loaded: loaded (/usr/lib/systemd/system/php70-php-fpm.service; enabled; vendor preset: disabled) Active: failed (Result: exit-code) since Fri 2018-01-08 12:03:16 UTC; 5min ago Process: 13468 ExecStart=/opt/remi/php70/root/usr/sbin/php-fpm --nodaemonize (code=exited, status=78) Main PID: 13468 (code=exited, status=78) Jan 08 12:03:18 ip-16-0-0-40 systemd[1]: Starting The PHP FastCGI Process Manager... Jan 08 12:03:18 ip-16-0-0-40 php-fpm[13468]: [08-Jan-2018 12:03:16] ERROR: unable to bind listening socket for address '127.0.0.1:9002': Permission denied (13) Jan 08 12:03:18 ip-16-0-0-40 php-fpm[13468]: [08-Jan-2018 12:03:16] ERROR: FPM initialization failed Jan 08 12:03:18 ip-16-0-0-40 systemd[1]: php70-php-fpm.service: main process exited, code=exited, status=78/n/a Jan 08 12:03:18 ip-16-0-0-40 systemd[1]: Failed to start The PHP FastCGI Process Manager. Jan 08 12:03:18 ip-16-0-0-40 systemd[1]: Unit php70-php-fpm.service entered failed state. Jan 08 12:03:18 ip-16-0-0-40 systemd[1]: php70-php-fpm.service failed.
The system in the above example is unable to bind the TCP listening socket, as evidenced by this line:
ERROR: unable to bind listening socket for address '127.0.0.1:9002': Permission denied (13)
Correct SELinux security labels on the file system
Navigate to the directory containing the configuration files:
cd /etc/opt/remi/php70/php-fpm.d
View SELinux labels:
# ls -laZ drwxr-xr-x. root root system_u:object_r:etc_t:s0 . drwxr-xr-x. root root system_u:object_r:etc_t:s0 .. -rw-r--r--. root root system_u:object_r:etc_t:s0 www.conf -rw-r--r--. root root unconfined_u:object_r:etc_t:s0 www.website1.tld.conf
Fix the label on the configuration files of php-fpm pools:
chcon -R system_u:object_r:etc_t:s0 www.website1.tld.conf
Troubleshooting access to TCP sockets: build an SELinux module to use TCP sockets
To figure out the changes that are required for SELinux to permit legitimate activities of a service (such as php-fpm or nginx), switch SELinux to permissive mode and build the module it needs using audit2allow, a utility that can generate SELinux allow/dontaudit rules from logs of denied operations (it is contained in policycoreutils-devel). Here’s how to do it.
Step 1. Switch SELinux to permissive
Verify if SELinux is enforcing rules using:
# getenforce
If it is set to enforcing, switch SELinux to the permissive mode using the command:
# setenforce 0
In this mode of operation, SELinux won’t be enforcing its rules, but it will log information about activities it would have prevented if it had been enforcing existing rules.
Step 2. Start the service that failed to load in the SELinux enforcing mode
If the service wasn’t able to run at all because of SELinux, start it:
# service php70-php-fpm restart Redirecting to /bin/systemctl restart php70-php-fpm.service
Next, try to trigger the error you saw before. For example, visit the site in a web browser.
Step 3. Inspect log output of SELinux generated for the service in permissive mode
Check the audit log:
tail /var/log/audit/audit.log | more
You may find messages like this one that reports that php-fpm was denied access to a TCP socket:
type=AVC msg=audit(1529375627.092:172): avc: denied { name_bind } for pid=1822 comm="php-fpm" src=9009 scontext=system_u:system_r:httpd_t: s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1
Based on the output of tail, you know what to look for when building your SELinux module.
Step 4. Pipe relevant messages to audit2allow
Pipe the relevant output of the SELinux audit.log for the service in question to a temporary file for further inspection:
grep php-fpm /var/log/audit/audit.log | audit2allow -M phpfpm > phpfpmlocal.tmp
Inspect the file you created (phpfpmlocal.tmp):
# cat phpfpmlocal.tmp
module phpfpm 1.0;
require {
type tor_port_t;
type unreserved_port_t;
type hugetlbfs_t;
type httpd_t;
type httpd_sys_content_t;
class process execmem;
class tcp_socket name_bind;
class dir write;
class file { write append };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:dir write;
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_content_t:file append;
allow httpd_t hugetlbfs_t:file write;
#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;
allow httpd_t tor_port_t:tcp_socket name_bind;
#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow httpd_t unreserved_port_t:tcp_socket name_bind;
Make any edits to the require directive above that seem necessary.
You have two options at this point. You can either build and activate a SELinux module (Step 5, option 2) or enable the corresponding booleans (Step 5 option 1).
Step 5, option 1. Set SELinux booleans
To set the corresponding boolean (following the directions from Step 4), for example:
semanage boolean -m --on nis_enabled
Here, nis_enabled is the boolean that was supplied in the output of audit2allow in Step 4 above. The change persists across reboots.
Step 5, option 2. Build and enable the SELinux module
Re-run audit2allow to build the module:
grep php-fpm /var/log/audit/audit.log | audit2allow -M phpfpmlocal ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i phpfpmlocal.pp
(If there is no policy to be activated based on the audit log snippets you supplied in Step 4., audit2allow will fail to create the module and then the command semodule will also fail.)
Activate the module:
semodule -i phpfpmlocal.pp
(Now you may remove the three phpfpmlocal.* files that were created as the system no longer needs them.)
Step 6. Reactivate SELinux enforcing mode and restart the service
Set enforce back on:
setenforce 1
Verify that SELinux is enforcing:
# getenforce Enforcing
Restart the service for which you fixed the rules:
systemctl restart nginx php-fpm
Verify that everything is working as it should for the service:
systemctl status -l php-fpm.service
You have granted php-fpm access to a TCP socket so it happily starts without complaints. However, NGINX may still keep giving you 404 errors for lack of access to the TCP socket.
A TCP socket allows two (or more) services to communicate with one another. For this communication to work, both services need unhindered access to the socket. As a result, you need to repeat the above procedure for NGINX.
Create a custom SELinux module for NGINX to use a TCP socket
Repeat the steps required for SELinux to grant NGINX access tot he TCP socket that PHP-FPM is listening on.
Step 1. Pipe audit.log messages referring to NGINX to audit2allow
Use the audit2allow utility to view relevant messages in the logs:
grep nginx /var/log/audit/audit.log | audit2allow
showing for example this output:
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans: # nis_enabled, httpd_can_network_connect allow httpd_t unreserved_port_t:tcp_socket name_connect;
Pipe relevant SELinux AVC messages to audit2allow to create the SELinux module:
grep nginx /var/log/audit/audit.log | audit2allow -m nginx
The output may look like this:
module nginx 1.0;
require {
type httpd_t;
type unreserved_port_t;
class tcp_socket name_connect;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
# nis_enabled, httpd_can_network_connect
allow httpd_t unreserved_port_t:tcp_socket name_connect;
Generate a local nginx Type Enforcement policy file (nginx.tmp):
grep nginx /var/log/audit/audit.log | audit2allow -m nginx > nginx.tmp cat nginx.tmp
Use audit2allow to create a custom policy module which allows NGINX access to the TCP socket:
grep nginx /var/log/audit/audit.log | audit2allow -M nginx
To load the policy package into the kernel, execute:
semodule -i nginx.pp
Wrap it up by switching SELinux back to its enforcing mode:
setenforce 1
Restart nginx.
Verify that SELinux is enforcing rules:
# getenforce Enforcing
List loaded modules
semodule -l
Congratulations, you are done.
Hello there! I know this is kinda off topic but I was wondering if
you knew where I could get a captcha plugin for my comment form?
I’m using the same blog platform as yours and I’m having problems finding one?
Thanks a lot!
Hi Juanita Scarberry:
> I know this is kinda off topic but I was wondering if
> you knew where I could get a captcha plugin for my comment form?
Yes, of course!
1. Really Simple CAPTCHA:
https://wordpress.org/plugins/really-simple-captcha/
2. Contact Form 7 Honeypot
https://wordpress.org/plugins/contact-form-7-honeypot/
3. Google Captcha (reCAPTCHA) by BestWebSoft
https://wordpress.org/plugins/google-captcha/
I hope this helps!
P.S.: By the way, you should look at this:
https://securityheaders.com/?q=http%3A%2F%2Flaserslevels.net%2Fdata%2520sheet%2FSokkia-Power-Level-SDL50-Edited-1.pdf&followRedirects=on
You should urgently fix your website. Here is how to do it:
Fixing your Web Server’s Security Headers: From Hall of Shame to Hall of Fame
https://www.cloudinsidr.com/content/fixing-your-web-servers-security-headers-from-hall-of-shame-to-hall-of-fame/
With kind regards,
Admin of CloudInsidr
If someone wishes expert views about running a blog, then I would recommend him/her to visit
this CloudInsidr https://www.cloudinsidr.com
Keep up the good work.
I believe what you typed was very logical.
However, what about this? what if you typed a catchier title?
I mean, I don’t wish to tell you how to run your website, however suppose you added a title to possibly
get folk’s attention? I mean Troubleshooting PHP 7 and NGINX when using TCP sockets with SELinux on Fedora/RHEL/CentOS – Cloud
Insidr is a little plain. You could peek at Yahoo’s front page and see how they create post titles to grab people to click.
You might add a related video or a related picture or two to get
people excited about what you’ve written. Just my opinion, it could make your posts a
little bit more interesting.
What’s up everybody, I pay my first pay quick visit to this blog.
This web site carries remarkable content and in fact good information designed for readers.
Yeah, I liked the article so much that I had write a nice comment here. Keep it up! :-)
This info is invaluable. How can I find out
more?
This post is really a nice one it helps new web viewers,
who are wishing in favor of blogging.
I got this site from my pal who told me on the topic of this web page and now this
time I am browsing this web site and reading very informative content here.
Heya i am for the first time here. I came across this board and I find It truly useful & it
helped me out a lot. I hope to give something back and help others like you helped me.
whoah this blog is fantastic i really like studying your
posts. Stay up the great work! You already know, lots of persons are searching around for
this info, you could help them greatly.
Wonderful blog! I found it while browsing on Yahoo News.
Do you have any tips on how to get listed in Yahoo News?
I’ve been trying for a while but I never seem to get
there! Many thanks
Sure, it’s here!
Yahoo News Submission Guidelines:
https://help.yahoo.com/kb/account
Great blog here! Also your web site loads up very fast!
What web host are you using? Can I get your affiliate link to your host?
I wish my website loaded up as fast as yours lol
Thanks, we are hosting on our AWS infrastructure. There is no affiliate link, but you can register at aws-portal.amazon.com for a free account to test-drive AWS services for a year free of charge. You only pay if you use services that are not included in the free tier, so I’d be extra careful. So long as you keep an eye on your usage, you can test-drive AWS hosting for free for an entire year. It’s a pretty fair deal.
Good luck.
It’s hard to find well-informed people for this subject, however, you seem like you know
what you’re talking about! Thanks
I am curious to find out what blog system you’re utilizing?
I’m experiencing some minor security issues with my latest website and I’d like to find something more risk-free.
Do you have any suggestions?
Where are you hosted and what platform are you using? Is your software up to date?
Hello there, I found your web site by the use of Google at the same time as looking
for a similar subject, your web site came up, it appears to
be like great. I’ve bookmarked it in my google bookmarks.
Hi there, just became aware of your blog thru Google, and located that it’s truly informative.
I’ll appreciate in the event you continue this in the future.
Numerous other people will probably benefit from your writing.
Cheers!
I have to thank you for the efforts you have put in penning this
website. I really hope to see the same high-grade content by you later on as well.
In fact, your creative writing abilities has inspired
me to get my own, personal site now ;)
This is a topic that is near to my heart… Many thanks!
Where are your contact details though?
At the bottom is a “Send us a message” form!
Hope it helps! :-)
Hiya! Quick question that’s completely off topic.
Do you know how to make my own website mobile friendly? My blog looks weird when viewing from my iphone 4.
I’m trying to find a template or plugin that might
be able to fix this problem. If you have any suggestions, please share.
Thanks!
Hi,
It’s a Genesis framework:
http://my.studiopress.com/themes/genesis/
with a Streamline Pro Theme:
http://my.studiopress.com/themes/streamline/
Hope it helps! :-)
You are currently using Drupal and your theme is responsive, so it will adjust to the viewport of a mobile device. The best you can do is test your page load times and optimize for speed. Drupal takes care of the rest.
I have been browsing on-line more than three hours these days, but I never discovered any interesting article like
yours. It is an amazing article!
In my opinion, if all webmasters and bloggers made excellent content as you did, the internet wouldl be much more helpful than ever before. http://yahoo.co.uk
Have yoᥙ evеr thߋught aЬout adding а
littⅼe bit moгᥱ thаn just үоur articles? Ӏ mеɑn, ᴡhat
yⲟu say iѕ fundamental аnd all. Bսt jսst imagine if үou added
ѕome great visuals օr video clips to ǥive үour posts mогe,
“pop”! Yоur content is excellent bսt ᴡith images and clips, thіs
site couⅼd undeniably be one of the very Ьest
in its niche. Fantastic blog!
Greetings! Very helpful advice in this particular post!
It is the little changes that make the largest changes.
Many thanks for sharing!
I am actually grateful to the holder of this site who has shared this wonderful post at at this time.
We are a group of volunteers and starting a new scheme in our community.
Your web site provided us with valuable info to work on.
You have done an impressive job and our whole community will
be grateful to you.
You ought to be a part of a contest for one of the most useful blogs on the
net. I will highly recommend this blog!
Hey I am so delighted I found your website, I really found you by mistake, while I was
searching on Google for something else, Anyways I am here now and would just like to say thanks a lot for a
remarkable post and a all round exciting blog (I also love the theme/design), I don’t have time to browse it all at
the moment but I have bookmarked it and also added in your RSS feeds, so when I have time I will be back to read
a great deal more, Please do keep up the awesome work.
Heya i am for the first time here. I came across this blog and I
to find it really helpful, it helped me out much.
I hope to provide one thing again and help others like you aided me.
Hey would you mind letting me know which hosting company you’re working with?
I’ve loaded your blog in 3 completely different web browsers
and I must say this blog loads a lot faster then most.
Can you suggest a good internet hosting provider at a fair price?
Cheers, I appreciate it! http://www.yahoo.net
It runs on AWS (Amazon Web Services) with PHP 7, NGINX, MariaDB etc. :-)
Your style is really unique compared to other folks I’ve read stuff from.
Thanks for posting when you have the opportunity, Guess I will just
book mark this page.
Hey there! Do you use Twitter? I’d like to follow you if that would be okay.
I’m undoubtedly enjoying your blog and look forward to new posts.
Great article! We will be linking to this particularly great article on our site.
Keep up the great writing.
Just want to say your article is as surprising. The clearness in your post is just excellent and i
could assume you’re an expert on this subject. Well with your
permission let me to grab your RSS feed
to keep updated with forthcoming post. Thanks a million and please
carry on the enjoyable work.
I blog frequently and I seriously thank you for your content.
The article has truly peaked my interest. I’m going to
take a note of your blog and keep checking for new details about once a week.
I subscribed to your RSS feed as well.
Thanks for finally writing about >Troubleshooting PHP
7 and NGINX when using TCP Sockets with SELinux on CentOS 7 (RHEL/Fedora) | Cloud Insidr <Liked it!
Appreciating the persistence you put into your site and
detailed information you offer. It’s nice to come across
a blog every once in a while that isn’t the same old rehashed material.
Great read! I’ve bookmarked your site and
I’m adding your RSS feeds to my Google account.
hey there and thank you for your information – I’ve certainly picked up
anything new from right here. I did however expertise a
few technical points using this website, as I experienced to reload the
web site lots of times previous to I could get it to load properly.
I had been wondering if your web host is OK? Not that I’m complaining, but sluggish loading instances times will sometimes affect your placement in google and could damage your high-quality score if advertising and marketing with Adwords.
Anyway I am adding this RSS to my email and can look out for a lot more of your respective fascinating content.
Make sure you update this again soon.
Hello everyone, it’s my first pay a quick visit at this web site, and
article is truly fruitful in favor of me,
keep up posting these types of content.
My coder is trying to persuade me to move to .net from PHP.
I have always disliked the idea because of the expenses. But he’s tryiong none the less.
I’ve been using WordPress on a variety of websites for about a year and am nervous about switching to another platform.
I have heard excellent things about blogengine.net. Is there a way I can import all my
wordpress content into it? Any kind of help would be greatly appreciated!
Great post! We will be linking to this great content on our site.
Keep up the great writing.
I’m really enjoying the theme/design of your web site.
Do you ever run into any internet browser compatibility issues?
A couple of my blog readers have complained about my website not working
correctly in Explorer but looks great in Firefox.
Do you have any recommendations to help fix this issue?
I’ve read several good stuff here. Definitely price bookmarking for revisiting.
I wonder how a lot attempt you put to create the sort of magnificent informative
website.
TҺanks for sharing уoᥙr thօughts aƅout php 7.
Regards
I like the helpful info you provide in your articles.
I’ll bookmark your weblog and check again here regularly.
I am quite certain I’ll learn a lot of new stuff right here!
Best of luck for the next!
Great post. I was checking continuously this blog and I’m impressed!
Very useful information specifically the last part :) I care
for such info a lot. I was looking for this certain info
for a very long time. Thank you and best of luck.
I have read so many articles or reviews on the topic of
the blogger lovers but this post is actually a pleasant article, keep
it up.
Wow that was unusual. I just wrote an very
long comment but after I clicked submit my comment didn’t show up.
Grrrr… well I’m not writing all that over again. Regardless, just wanted to say great blog!
I got this web site from my buddy who shared with me on the topic of this web
page and at the moment this time I am visiting this web page and
reading very informative posts at this place.
A motivating discussion is worth comment. I think that you ought to write more about this subject matter, it may not be a taboo matter but generally folks don’t discuss these issues.
To the next! Best wishes!!
It’s an amazing article іn support of all the internet uѕers; thеу will get advantage from it I am sure.
My brother suggested I might like this website.
He was totally right. This post truly made my day. You cann’t imagine just how much time
I had spent for this information! Thanks!
Hello i am kavin, its my first time to commenting anywhere, when i read this paragraph i thought i could also make comment due to this good piece of writing.
Hi, this weekend is good in support of me, as this
occasion i am reading this enormous educational piece of writing here at my residence.
Hello would you mind sharing which blog platform you’re
working with? I’m planning to start my own blog in the near future but I’m having a tough time making a decision between BlogEngine/Wordpress/B2evolution and Drupal.
The reason I ask is because your design seems different then most blogs and I’m looking for something completely unique.
P.S Sorry for being off-topic but I had to ask!
Hi,
It’s a WordPress blog. Running on Nginx and CentOS 7.2. :-)
Hope this helps!
Cheers!
It’s nearly impossible to find experienced people for this topic, however, you sound like you
know what you’re talking about! Thanks
I do trust all of the ideas you have presented in your post.
They are very convincing and can definitely work.
Still, the posts are too short for newbies. May just you please prolong them a little
from subsequent time? Thanks for the post.
Hola! I’ve been reading your weblog for
a long time now and finally got the courage to go ahead and give you a shout out from Lubbock Tx!
Just wanted to tell you keep up the good work!
Howdy! This is my first visit to your blog!
We are a collection of volunteers and starting a new initiative in a community in the same niche.
Your blog provided us useful information to work on. You have done a outstanding job!
Generally I do not read articles on blogs, however I wish to say that this one was exceptional! Your writing style has really surprised me. Thank you very much! Great post.
Miranda Pitre
It’s really a great and helpful piece of information. I’m happy that you simply shared this helpful info with us. Please stay us up to date like this. Thanks for sharing.
—QUOTE—
Hey there! I know this is somewhat off topic but I was wondering
which blog platform are you using for this website? I’m getting
tired of WordPress because I’ve had issues with hackers and I’m looking at options for another platform.
I would be fantastic if you could point me in the direction of a good platform.
—UNQUOTE—
Here is how to keep your web server safe:
https://www.cloudinsidr.com/content/fixing-your-web-servers-security-headers-from-hall-of-shame-to-hall-of-fame/
https://www.cloudinsidr.com/content/secure-your-web-server-against-attacks-via-xsrfcsrfxfs-how-to-design-a-content-security-policy/
You should try activating SELinux:
https://www.cloudinsidr.com/content/troubleshooting-php-7-tcp-sockets-with-selinux-on-centos-7-rhelfedora/
https://www.cloudinsidr.com/content/lemp-how-to-set-up-nginx-with-mariadbmysql-and-php-7-x-on-centos-7-rhelfedora/
My spouse and I stumbled over here from a different web page and thought I might as well check
things out. I like what I see so i am just following you.
Look forward to looking into your web page repeatedly.
Hello, I desire to subscribe for this blog to obtain hottest updates, therefore where can i do it please help out.
Hi Waylon,
I already did this for you!
Please confirm it!
It’s not my first time to go to see this site, i am visiting this site dailly and take good facts from here
daily.
Hey There. I found your blog using msn. This is a very smartly written article. I’ll be sure to bookmark it
and come back to learn extra of your useful information. Thanks for the post.
I will certainly comeback.
This article saved the day for me. There is a type, however:
grep php-fpm /var/log/audit/audit.log | audit2allow -m phpfpmlocal
The -m needs to be capitalized for the command to work:
grep php-fpm /var/log/audit/audit.log | audit2allow -M phpfpmlocal
thank you for this post!!
Hi Tim,
True, you are right! :-)
Thanks!
Hi there, just became aware of your blog through Google,
and found that it is truly informative. I am going to watch out for brussels.
I will appreciate if you continue this in future. Many people will be benefited from your writing.
Cheers!
Hello, I enjoy reading all of your post. I wanted to write
a little comment to support you.
Hi! I understand this is kind of off-topic however I needed
to ask. Does managing a well-established blog like yours
take a large amount of work? I’m completely new to operating a blog but
I do write in my journal daily. I’d like to start a blog so I can easily share my experience and views online.
Please let me know if you have any suggestions or tips for brand new aspiring blog owners.
Appreciate it!
It depends on the level of your technical know-how and overall experience. Some people find it daunting, others enjoy every minute of it. If you happen to be working in the IT industry, for example as a sysadmin, you have a very different angle than someone who’s altogether new to this whole publishing thing and just got bitten by the blogging bug out of nowhere. Either way, there are solutions that can streamline the process. It very much depends on you and how much of your time you are _willing_ to invest.
Good write-up. I definitely love this website.
Thanks!
I think this is among the most important info for me. And i am glad reading your article.
But should remark on some general things, The site style is wonderful, the articles is really great : D.
Good job, cheers
Thank you!
I have emailed this blog post page to all my associates, because if I like to
read it, my friends will want to read it,too. Thanks!
Thank you! That’s good to hear:-)
Pretty! This has been a really wonderful article.
Many thanks for supplying this information.