Selinux is preventing httpd from connectto access

Submitted by Tom Thorp on Sunday, August 21, 2022 - 15:22
Modified on Sunday, August 21, 2022 - 18:24
PHP-FPM - Selinux
This issue had been bugging me for some time. Every time I did a custom PHP install establishing a running PHP-FPM service via unix socket, the following error message appeared in my journal : 
Aug 20 17:54:10 fedora-35-webserver setroubleshoot[476862]: SELinux is preventing httpd from connectto access on the unix_stream_socket /opt/php81/var/run/php-fpm.sock.
So rather than having my PHP websites stop prematurely every time this error happens, I enabled permissive mode on the httpd service till I had found a solution. 
$ sudo semanage permissive -a httpd_t
As it turns out, it wasn't long before I had found it. 


The Solution

The fix to this issue stems from how the default Selinux policy of the httpd service. If PHP was installed via an RPM source, then the default selinux policy would be able to pick up the default labels and paths to do with the PHP install. As I had done a custom build and install of PHP, then only the generic Selinux labels would be applied. (Which is not what we want.)
In my instance, I installed several PHP installations off /opt directory (7.4 & 8.1). Through consulting the selinux httpd manual (see below), I came up with the following Selinux commands to be applied to your PHP custom install. 
// These commands cover multiple PHP installations (7.x & 8.x) 

// allow httpd service connectto access to PHP-FPM service
$ sudo semanage fcontext -a -t httpd_exec_t "/opt/php[7-8][0-9]/sbin(/.*)?" 

// allow PHP-FPM service to log errors to var/log directory 
$ sudo semanage fcontext -a -t httpd_var_log_t "/opt/php[7-8][0-9]/var/log(/.*)?"

// allow PHP-FPM service to create a unix socket file, so httpd can access it. 
$ sudo semanage fcontext -a -t httpd_var_run_t "/opt/php[7-8][0-9]/var/run(/.*)?"

then from /opt directory type :

$ sudo restorecon -Rv .

Finally, restart any PHP-FPM service. 
When you are satisfied that there are no further journal entries created by httpd, you can remove permissive access via the following command :
$ sudo semanage permissive -d httpd_t
Hope this resolves any issues you've had with your custom PHP installation getting it to play nicely with httpd and SeLinux.



About the author

Tom Thorp
Tom Thorp is an IT Consultant living in Miami on Queensland's Gold Coast. With over 30+ years working in the IT industry, Tom's experience is a broad canvas. The IT services Tom provides to his clients, includes :
Website development and hosting
Database Administration
Server Administration (Windows, Linux, Apple)
PABX Hosting and Administration
Helpdesk Support (end-user & technical).
  If you like any of my content, consider a donation via Crypto by clicking on one of the payment methods :