can php fpm sockets be brought back to help with SELinux TCP port issues?

We are slowly working thru configuring VirtualMin on RedHat 7 to work with SELinux in enforcing mode.

One issue that has come up revolves around php-fpm with apache ... as most of you know, fpm can be configured to use either a TCP port or a unix socket. SELinux greatly limits what TCP ports are available by default to apache, while our limited testing seems to indicate using a unix socket is easier to fit into the SELinux environment.

I am requesting that unix sockets be brought back as an option for php-fpm.

I want to help and contribute, but am not sure where to start ... any advice?

Verne

Status: 
Active

Comments

Ilia's picture
Submitted by Ilia on Tue, 03/31/2020 - 06:44

Assigned: Unassigned ยป

Hi,

Thanks for the feedback.

I remember Jamie mentioned that there is no easy way to use sockets.

There should be other ways to make SELinux work. It's pretty flexible.

Socket files caused too many problems, for example when domain ownership changed. They are supported if you change the Apache and FPM configs manually, but Virtualmin isn't going to set them up by default.

sorry I missed your quickly posted comments ....

my issue stemmed from ... SELinux not liking FPM using the particular tcp ports it chooses ... the default ones for RedHat 7 are

semanage port -l | grep ^http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000

I think to add 99 more I would do

semanage port --add -t http_port_t -p tcp 9001-9099

and to clean things up if ever needed ... semanage port --delete -t http_port_t -p tcp 9001-9099

.... my thinking being ... NOT to let httpd just talk to all the ports with something like the boolean nis_enabled

and in regards to sockets, I had success with a CONF file with sections like

[vhost92-test] user = vhost92 group = vhost92 listen = /var/run/php-fpm/vhost92.sock listen.owner = vhost92 listen.group = vhost92 listen.mode = 0660

Verne