If you are having trouble getting your web server to work or starting services on the system, SELinux could be at fault.<\/p>\n
<\/p>\n
Two major factors can contribute to a service not functioning properly:<\/p>\n
First you need to get the status output for the malfunctioning service (or look up the logs). For example, for PHP 7 that delivers a 404 error in NGINX:<\/p>\n
# systemctl status -l php70-php-fpm.service\r\n\u25cf php70-php-fpm.service - The PHP FastCGI Process Manager\r\n Loaded: loaded (\/usr\/lib\/systemd\/system\/php70-php-fpm.service; enabled; vendor preset: disabled)\r\n Active: failed (Result: exit-code) since Fri 2018-01-08 12:03:16 UTC; 5min ago\r\n Process: 13468 ExecStart=\/opt\/remi\/php70\/root\/usr\/sbin\/php-fpm --nodaemonize (code=exited, status=78)\r\n Main PID: 13468 (code=exited, status=78)\r\nJan 08 12:03:18 ip-16-0-0-40 systemd[1]: Starting The PHP FastCGI Process Manager...\r\nJan 08 12:03:18 ip-16-0-0-40 php-fpm[13468]: [08-Jan-2018 12:03:16] ERROR: unable to bind listening socket for address '127.0.0.1:9002': Permission denied (13)\r\nJan 08 12:03:18 ip-16-0-0-40 php-fpm[13468]: [08-Jan-2018 12:03:16] ERROR: FPM initialization failed\r\nJan 08 12:03:18 ip-16-0-0-40 systemd[1]: php70-php-fpm.service: main process exited, code=exited, status=78\/n\/a\r\nJan 08 12:03:18 ip-16-0-0-40 systemd[1]: Failed to start The PHP FastCGI Process Manager.\r\nJan 08 12:03:18 ip-16-0-0-40 systemd[1]: Unit php70-php-fpm.service entered failed state.\r\nJan 08 12:03:18 ip-16-0-0-40 systemd[1]: php70-php-fpm.service failed.<\/pre>\nThe system in the above example is\u00a0unable to bind the TCP\u00a0listening socket, as evidenced by this line:<\/p>\n
ERROR: unable to bind listening socket for address '127.0.0.1:9002': Permission denied (13)<\/pre>\nCorrect SELinux security labels on the file system<\/h3>\n
Navigate to the directory containing the configuration files:<\/p>\n
cd \/etc\/opt\/remi\/php70\/php-fpm.d<\/pre>\nView SELinux labels:<\/p>\n
# ls -laZ\r\ndrwxr-xr-x. root root system_u:object_r:etc_t:s0 .\r\ndrwxr-xr-x. root root system_u:object_r:etc_t:s0 ..\r\n-rw-r--r--. root root system_u:object_r:etc_t:s0 www.conf\r\n-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 www.website1.tld.conf<\/pre>\nFix the label on the configuration files of php-fpm pools:<\/p>\n
chcon -R system_u:object_r:etc_t:s0 www.website1.tld.conf<\/pre>\nTroubleshooting access to TCP sockets: build an SELinux module to use TCP sockets<\/h3>\n
To figure out the changes that are required\u00a0for SELinux\u00a0to permit legitimate activities of a\u00a0service (such as php-fpm or nginx), switch SELinux to permissive mode and\u00a0build the module it needs\u00a0using\u00a0audit2allow<\/strong>, a\u00a0utility\u00a0that can generate SELinux allow\/dontaudit rules from logs of denied operations (it is contained in policycoreutils-devel<\/strong>).\u00a0Here’s how to do it.<\/p>\n
Step 1. Switch\u00a0SELinux to permissive<\/h4>\n
Verify if SELinux is enforcing rules\u00a0using:<\/p>\n
# getenforce<\/pre>\nIf it is set to enforcing, switch SELinux to the permissive mode using the command:<\/p>\n
# setenforce 0<\/pre>\nIn this mode of operation, SELinux won’t be enforcing its rules, but it will log information about activities\u00a0it would have prevented if it had been enforcing existing rules.<\/p>\n
Step 2. Start the service that failed to load in the SELinux enforcing mode<\/h4>\n
If the service wasn’t able to run at all\u00a0because of SELinux,\u00a0start\u00a0it:<\/p>\n
# service php70-php-fpm restart\r\n Redirecting to \/bin\/systemctl restart php70-php-fpm.service<\/pre>\nNext, try to trigger the error you saw before. For example, visit the site in a web browser.<\/p>\n
Step 3. Inspect log output of SELinux generated for the service in permissive mode<\/h4>\n
Check the audit log:<\/p>\n
tail \/var\/log\/audit\/audit.log | more<\/pre>\nYou may find messages like this one that reports that php-fpm was denied access to a TCP socket:<\/p>\n
type=AVC msg=audit(1529375627.092:172): avc: denied { name_bind } for pid=1822 comm=\"php-fpm\" src=9009 scontext=system_u:system_r:httpd_t: s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=1<\/pre>\nBased on the output of tail, you know what to look for when building your SELinux module.<\/p>\n
Step 4. Pipe relevant messages to audit2allow<\/h4>\n
Pipe the relevant output of the SELinux audit.log for the service in question to a temporary file for further inspection:<\/p>\n
grep php-fpm \/var\/log\/audit\/audit.log | audit2allow -M phpfpm > phpfpmlocal.tmp<\/pre>\nInspect the file you created (phpfpmlocal.tmp):<\/p>\n
# cat phpfpmlocal.tmp\r\n\r\nmodule phpfpm 1.0;\r\n\r\nrequire {\r\n type tor_port_t;\r\n type unreserved_port_t;\r\n type hugetlbfs_t;\r\n type httpd_t;\r\n type httpd_sys_content_t;\r\n class process execmem;\r\n class tcp_socket name_bind;\r\n class dir write;\r\n class file { write append };\r\n}\r\n\r\n#============= httpd_t ==============\r\n#!!!! This avc can be allowed using the boolean 'httpd_unified'\r\nallow httpd_t httpd_sys_content_t:dir write;\r\n\r\n#!!!! This avc can be allowed using the boolean 'httpd_unified'\r\nallow httpd_t httpd_sys_content_t:file append;\r\nallow httpd_t hugetlbfs_t:file write;\r\n\r\n#!!!! This avc can be allowed using the boolean 'httpd_execmem'\r\nallow httpd_t self:process execmem;\r\nallow httpd_t tor_port_t:tcp_socket name_bind;\r\n\r\n#!!!! This avc can be allowed using the boolean 'nis_enabled'\r\nallow httpd_t unreserved_port_t:tcp_socket name_bind;<\/pre>\nMake any edits to the require directive above that seem necessary.<\/p>\n
You have two options at this point. You can either build and activate a SELinux module (Step 5, option 2) or enable the corresponding booleans (Step 5 option 1).<\/p>\n
Step 5, option 1. Set SELinux booleans<\/h4>\n