Articles in this section

See more

SELinux is preventing php-fpm from using the block_suspend capability

Avatar
Yulia Plokhotnikova
Updated
Follow

Symptoms

The following error is found in /var/log/messages:

CONFIG_TEXT: setroubleshoot: SELinux is preventing php-fpm from using the block_suspend capability. For complete SELinux messages run: sealert -l 0818edec-e276-414a-aa2b-29264e537dd5
python: SELinux is preventing php-fpm from using the block_suspend capability.#012#012*****  Plugin catchall (100. confidence) suggests  **************************#012#012If you believe that php-fpm should have the block_suspend capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012

/var/log/audit/audit.log contains the following errors:

CONFIG_TEXT: type=AVC msg=audit(1507135047.192:8111): avc:  denied 
{ block_suspend } for  pid=1125 comm="php-fpm" capability=36  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8112): avc:  denied  { block_suspend }
for  pid=1125 comm="php-fpm" capability=36  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8113): avc:  denied 
{ block_suspend }
for  pid=1125 comm="php-fpm" capability=36  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capabilit

SELinux context on /usr/sbin/php-fpm file is:

CONFIG_TEXT: system_u:object_r:httpd_exec_t:s0 /usr/sbin/php-fpm

Cause

New SELinux system policy was installed, bringing new contexts for system php-fpm (PHP by OS vendor). It is not related to Plesk, but rather to an operating system itself. "block_suspend" is the ability to prevent system suspends (see Object Classes and Permissions). Such messages cannot negatively impact a server that is up constantly anyway.

Resolution

To get rid of such messages, set system php-fpm context the same as Plesk php-fpm:

# chcon system_u:object_r:bin_t:s0 /usr/sbin/php-fpm

Comments

0 comments

Please sign in to leave a comment.

Related articles