SELinux is preventing /usr/sbin/php-fpm from lock access on the file cert9.db
1
I have an selinux alert for the file /var/cache/nginx/.pki/nssdb/cert9.db., but I dont know what label I should give to it. The selinux report suggests hundreds of labels, but which is the correct one to allow php-fpm to have lock access on the cert9.db file.
SELinux is preventing /usr/sbin/php-fpm from lock access on the file /var/cache/nginx/.pki/nssdb/cert9.db.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow php-fpm to have lock access on the cert9.db file
Then you need to change the label on /var/cache/nginx/.pki/nssdb/cert9.db
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/nginx/.pki/nssdb/cert9.db'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_spool_t, abrt_retrace_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_exec_t, acct_data_t, acct_exec_t, admin_crontab_tmp_t, admin_passwd_exec_t, afs_logfile_t, aide_exec_t, aide_log_t, alsa_exec_t, alsa_tmp_t, amanda_exec_t, amanda_log_t, amanda_recover_exec_t, amanda_tmp_t, amtu_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_log_t, antivirus_tmp_t, apcupsd_cgi_content_t, apcupsd_cgi_htaccess_t, apcupsd_cgi_ra_content_t, apcupsd_cgi_rw_content_t, apcupsd_cgi_script_exec_t, apcupsd_log_t, apcupsd_tmp_t, apm_exec_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, audisp_exec_t, auditadm_sudo_tmp_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, automount_tmp_t, avahi_exec_t, awstats_content_t, awstats_htaccess_t, awstats_ra_content_t, awstats_rw_content_t, awstats_script_exec_t, awstats_tmp_t, bacula_admin_exec_t, bacula_log_t, bacula_tmp_t, bacula_unconfined_script_exec_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_exec_t, bluetooth_helper_exec_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_exec_t, bootloader_tmp_t, brctl_exec_t, brltty_log_t, bugzilla_content_t, bugzilla_htaccess_t, bugzilla_ra_content_t, bugzilla_rw_content_t, bugzilla_script_exec_t, bugzilla_tmp_t, calamaris_exec_t, calamaris_log_t, calamaris_www_t, callweaver_log_t, canna_log_t, cardctl_exec_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_exec_t, cdcc_tmp_t, cdrecord_exec_t, cert_t, certmaster_var_log_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_log_t, cgred_log_t, checkpc_exec_t, checkpc_log_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chronyc_exec_t, chronyd_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_etc_t, cobbler_tmp_t, cobbler_var_lib_t, cobbler_var_log_t, cockpit_tmp_t, collectd_content_t, collectd_htaccess_t, collectd_ra_content_t, collectd_rw_content_t, collectd_script_exec_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, consolekit_log_t, container_log_t, container_runtime_tmp_t, couchdb_log_t, couchdb_tmp_t, courier_exec_t, cpu_online_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_exec_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_config_exec_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_content_t, cvs_data_t, cvs_exec_t, cvs_htaccess_t, cvs_ra_content_t, cvs_rw_content_t, cvs_script_exec_t, cvs_tmp_t, cyphesis_exec_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dbusd_exec_t, dcc_client_exec_t, dcc_client_tmp_t, dcc_dbclean_exec_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, debuginfo_exec_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, depmod_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_exec_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_config_t, dirsrv_share_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_content_t, dirsrvadmin_htaccess_t, dirsrvadmin_ra_content_t, dirsrvadmin_rw_content_t, dirsrvadmin_script_exec_t, dirsrvadmin_tmp_t, disk_munin_plugin_exec_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_tmp_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_content_t, dspam_htaccess_t, dspam_log_t, dspam_ra_content_t, dspam_rw_content_t, dspam_script_exec_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_exec_t, exim_log_t, exim_tmp_t, fail2ban_client_exec_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_exec_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_exec_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_exec_t, firewallgui_tmp_t, firstboot_exec_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_exec_t, ftpdctl_tmp_t, games_exec_t, games_tmp_t, games_tmpfs_t, ganesha_tmp_t, ganesha_var_log_t, gconf_tmp_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, geoclue_tmp_t, getty_exec_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_content_t, git_htaccess_t, git_ra_content_t, git_rw_content_t, git_script_exec_t, git_script_tmp_t, git_sys_content_t, gitd_exec_t, gitosis_exec_t, gitosis_var_lib_t, gkeyringd_exec_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_agent_tmp_t, gpg_exec_t, gpg_helper_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_exec_t, groupadd_exec_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, hostname_exec_t, hsqldb_tmp_t, httpd_cache_t, httpd_config_t, httpd_exec_t, httpd_keytab_t, httpd_lock_t, httpd_log_t, httpd_modules_t, httpd_passwd_exec_t, httpd_php_tmp_t, httpd_squirrelmail_t, httpd_suexec_tmp_t, httpd_sys_content_t, httpd_sys_htaccess_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_script_exec_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_var_lib_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, iceauth_exec_t, icecast_exec_t, icecast_log_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, insmod_exec_t, install_exec_t, iotop_exec_t, ipa_cert_t, ipa_helper_exec_t, ipa_log_t, ipa_tmp_t, ipa_var_lib_t, ipa_var_run_t, ipsec_log_t, ipsec_mgmt_exec_t, ipsec_tmp_t, iptables_exec_t, iptables_tmp_t, irc_exec_t, irssi_exec_t, iscsi_log_t, iscsi_tmp_t, iso9660_t, iwhd_log_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, jockey_exec_t, jockey_var_log_t, journalctl_exec_t, kadmind_log_t, kadmind_tmp_t, kdump_exec_t, kdumpctl_tmp_t, kdumpgui_exec_t, kdumpgui_tmp_t, keepalived_unconfined_script_exec_t, keystone_cgi_content_t, keystone_cgi_htaccess_t, keystone_cgi_ra_content_t, keystone_cgi_rw_content_t, keystone_cgi_script_exec_t, keystone_log_t, keystone_tmp_t, kismet_exec_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_exec_t, livecd_tmp_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_exec_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_exec_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_exec_t, lsmd_plugin_tmp_t, lvm_exec_t, lvm_tmp_t, machineid_t, mail_munin_plugin_exec_t, mail_munin_plugin_tmp_t, mailman_archive_t, mailman_cgi_tmp_t, mailman_data_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man2html_content_t, man2html_htaccess_t, man2html_ra_content_t, man2html_rw_content_t, man2html_script_exec_t, man_cache_t, man_t, mandb_cache_t, mcelog_exec_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_content_t, mediawiki_htaccess_t, mediawiki_ra_content_t, mediawiki_rw_content_t, mediawiki_script_exec_t, mediawiki_tmp_t, mencoder_exec_t, minidlna_log_t, mirrormanager_exec_t, mirrormanager_log_t, mirrormanager_var_lib_t, mirrormanager_var_run_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, modemmanager_exec_t, mojomojo_content_t, mojomojo_htaccess_t, mojomojo_ra_content_t, mojomojo_rw_content_t, mojomojo_script_exec_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_ecryptfs_exec_t, mount_exec_t, mount_tmp_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_exec_t, mpd_log_t, mpd_tmp_t, mplayer_exec_t, mplayer_tmpfs_t, mrtg_exec_t, mrtg_log_t, mscan_tmp_t, munin_content_t, munin_etc_t, munin_htaccess_t, munin_log_t, munin_ra_content_t, munin_rw_content_t, munin_script_exec_t, munin_script_tmp_t, munin_tmp_t, mysqld_etc_t, mysqld_log_t, mysqld_tmp_t, mythtv_content_t, mythtv_htaccess_t, mythtv_ra_content_t, mythtv_rw_content_t, mythtv_script_exec_t, mythtv_var_log_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_content_t, nagios_etc_t, nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_tmp_t, nagios_htaccess_t, nagios_log_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_openshift_plugin_tmp_t, nagios_ra_content_t, nagios_rw_content_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_system_plugin_tmp_t, nagios_tmp_t, nagios_unconfined_plugin_exec_t, nagios_var_lib_t, named_checkconf_exec_t, named_exec_t, named_log_t, named_tmp_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, net_conf_t, netlabel_mgmt_exec_t, netutils_exec_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, newrole_exec_t, nova_log_t, nova_tmp_t, nscd_log_t, nsd_log_t, nsd_tmp_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, ntpdate_exec_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nutups_cgi_content_t, nutups_cgi_htaccess_t, nutups_cgi_ra_content_t, nutups_cgi_rw_content_t, nutups_cgi_script_exec_t, nx_server_tmp_t, obex_exec_t, oddjob_mkhomedir_exec_t, opendnssec_tmp_t, openhpid_log_t, openshift_cgroup_read_exec_t, openshift_cgroup_read_tmp_t, openshift_content_t, openshift_cron_tmp_t, openshift_htaccess_t, openshift_initrc_tmp_t, openshift_log_t, openshift_net_read_exec_t, openshift_ra_content_t, openshift_rw_content_t, openshift_script_exec_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, oracleasm_tmp_t, osad_log_t, pads_exec_t, pam_console_exec_t, pam_timestamp_tmp_t, passenger_exec_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, passwd_exec_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pcscd_var_run_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, pinentry_exec_t, ping_exec_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_log_t, pkcs_slotd_tmp_t, pki_log_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_ra_var_run_t, pki_tomcat_cert_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, pki_tps_var_run_t, plymouth_exec_t, plymouthd_var_log_t, podsleuth_exec_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, policykit_tmp_t, polipo_exec_t, polipo_log_t, portmap_helper_exec_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_exec_t, postfix_local_tmp_t, postfix_map_exec_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_tmp_t, postfix_showq_exec_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_exec_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, preupgrade_data_t, preupgrade_exec_t, prewikka_content_t, prewikka_htaccess_t, prewikka_ra_content_t, prewikka_rw_content_t, prewikka_script_exec_t, privoxy_log_t, proc_t, procmail_exec_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, ptchown_exec_t, public_content_rw_t, public_content_t, pulseaudio_exec_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppet_var_lib_t, puppetca_exec_t, puppetmaster_tmp_t, pwauth_exec_t, pyicqt_log_t, qdiskd_var_log_t, qemu_exec_t, qmail_tcp_env_exec_t, qpidd_tmp_t, quota_exec_t, rabbitmq_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, readahead_exec_t, realmd_exec_t, realmd_tmp_t, realmd_var_lib_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_exec_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_exec_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, rtkit_daemon_exec_t, run_init_exec_t, samba_etc_t, samba_log_t, samba_net_exec_t, samba_net_tmp_t, samba_var_t, sambagui_exec_t, sanlock_log_t, sbd_tmpfs_t, sblim_tmp_t, screen_exec_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, selinux_munin_plugin_tmp_t, semanage_exec_t, semanage_tmp_t, sendmail_exec_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_exec_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshoot_var_log_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, showmount_exec_t, slapd_cert_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbcontrol_exec_t, smbd_tmp_t, smokeping_cgi_content_t, smokeping_cgi_htaccess_t, smokeping_cgi_ra_content_t, smokeping_cgi_rw_content_t, smokeping_cgi_script_exec_t, smokeping_var_lib_t, smokeping_var_run_t, smoltclient_exec_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_exec_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_exec_t, sosreport_tmp_t, soundd_tmp_t, spamc_exec_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, spamd_update_exec_t, speech-dispatcher_exec_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_content_t, squid_cron_exec_t, squid_htaccess_t, squid_log_t, squid_ra_content_t, squid_rw_content_t, squid_script_exec_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_exec_t, ssh_agent_tmp_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keygen_tmp_t, ssh_keysign_exec_t, ssh_tmpfs_t, sssd_public_t, sssd_selinux_manager_exec_t, sssd_var_lib_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_log_t, stunnel_tmp_t, su_exec_t, sudo_exec_t, sudo_log_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svirt_tmp_t, svnserve_log_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_exec_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_exec_t, system_munin_plugin_tmp_t, systemd_passwd_var_run_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_exec_t, telepathy_gabble_tmp_t, telepathy_idle_exec_t, telepathy_idle_tmp_t, telepathy_logger_exec_t, telepathy_logger_tmp_t, telepathy_mission_control_exec_t, telepathy_mission_control_tmp_t, telepathy_msn_exec_t, telepathy_msn_tmp_t, telepathy_salut_exec_t, telepathy_salut_tmp_t, telepathy_sofiasip_exec_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_exec_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_exec_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_exec_t, thumb_tmp_t, tmp_t, tmpreaper_exec_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, traceroute_exec_t, tuned_log_t, tuned_tmp_t, tvtime_exec_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, ulogd_var_log_t, uml_exec_t, uml_tmp_t, uml_tmpfs_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, unconfined_munin_plugin_tmp_t, update_modules_exec_t, update_modules_tmp_t, updfstab_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_log_t, uucpd_tmp_t, uux_exec_t, var_lib_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virsh_exec_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_qemu_ga_unconfined_exec_t, virt_tmp_t, virt_var_lib_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_tmp_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vnstat_exec_t, vpnc_exec_t, vpnc_tmp_t, w3c_validator_content_t, w3c_validator_htaccess_t, w3c_validator_ra_content_t, w3c_validator_rw_content_t, w3c_validator_script_exec_t, w3c_validator_tmp_t, watchdog_log_t, watchdog_unconfined_exec_t, webadm_tmp_t, webalizer_content_t, webalizer_exec_t, webalizer_htaccess_t, webalizer_ra_content_t, webalizer_rw_content_t, webalizer_script_exec_t, webalizer_tmp_t, winbind_log_t, wine_exec_t, wireshark_exec_t, wireshark_tmp_t, wireshark_tmpfs_t, wpa_cli_exec_t, wtmp_t, xauth_exec_t, xauth_tmp_t, xdm_exec_t, xdm_log_t, xdm_unconfined_exec_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_script_exec_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_content_t, zoneminder_exec_t, zoneminder_htaccess_t, zoneminder_log_t, zoneminder_ra_content_t, zoneminder_rw_content_t, zoneminder_script_exec_t, zoneminder_var_lib_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/cache/nginx/.pki/nssdb/cert9.db'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that php-fpm should be allowed lock access on the cert9.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/nginx/.pki/nssdb/cert9.db [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host di-staging
Source RPM Packages php-fpm-7.2.14-1.el7.remi.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 936
First Seen 2019-03-02 16:32:29 GMT
Last Seen 2019-03-02 21:24:14 GMT
Local ID 3a672c0c-ed3b-4509-9695-49eca37e2061
Raw Audit Messages
type=AVC msg=audit(1551561854.609:568178): avc: denied { lock } for pid=3751 comm="php-fpm" path="/var/cache/nginx/.pki/nssdb/cert9.db" dev="sda2" ino=790407 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1551561854.609:568178): arch=x86_64 syscall=fcntl success=no exit=EACCES a0=8 a1=6 a2=7ffe4a3e47e0 a3=0 items=0 ppid=3450 pid=3751 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: php-fpm,httpd_t,var_t,file,lock
linux rhel security php selinux
asked 1 hour ago
turrican_34turrican_34
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
1
I have an selinux alert for the file /var/cache/nginx/.pki/nssdb/cert9.db., but I dont know what label I should give to it. The selinux report suggests hundreds of labels, but which is the correct one to allow php-fpm to have lock access on the cert9.db file.
SELinux is preventing /usr/sbin/php-fpm from lock access on the file /var/cache/nginx/.pki/nssdb/cert9.db.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow php-fpm to have lock access on the cert9.db file
Then you need to change the label on /var/cache/nginx/.pki/nssdb/cert9.db
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/nginx/.pki/nssdb/cert9.db'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_spool_t, abrt_retrace_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_exec_t, acct_data_t, acct_exec_t, admin_crontab_tmp_t, admin_passwd_exec_t, afs_logfile_t, aide_exec_t, aide_log_t, alsa_exec_t, alsa_tmp_t, amanda_exec_t, amanda_log_t, amanda_recover_exec_t, amanda_tmp_t, amtu_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_log_t, antivirus_tmp_t, apcupsd_cgi_content_t, apcupsd_cgi_htaccess_t, apcupsd_cgi_ra_content_t, apcupsd_cgi_rw_content_t, apcupsd_cgi_script_exec_t, apcupsd_log_t, apcupsd_tmp_t, apm_exec_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, audisp_exec_t, auditadm_sudo_tmp_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, automount_tmp_t, avahi_exec_t, awstats_content_t, awstats_htaccess_t, awstats_ra_content_t, awstats_rw_content_t, awstats_script_exec_t, awstats_tmp_t, bacula_admin_exec_t, bacula_log_t, bacula_tmp_t, bacula_unconfined_script_exec_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_exec_t, bluetooth_helper_exec_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_exec_t, bootloader_tmp_t, brctl_exec_t, brltty_log_t, bugzilla_content_t, bugzilla_htaccess_t, bugzilla_ra_content_t, bugzilla_rw_content_t, bugzilla_script_exec_t, bugzilla_tmp_t, calamaris_exec_t, calamaris_log_t, calamaris_www_t, callweaver_log_t, canna_log_t, cardctl_exec_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_exec_t, cdcc_tmp_t, cdrecord_exec_t, cert_t, certmaster_var_log_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_log_t, cgred_log_t, checkpc_exec_t, checkpc_log_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chronyc_exec_t, chronyd_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_etc_t, cobbler_tmp_t, cobbler_var_lib_t, cobbler_var_log_t, cockpit_tmp_t, collectd_content_t, collectd_htaccess_t, collectd_ra_content_t, collectd_rw_content_t, collectd_script_exec_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, consolekit_log_t, container_log_t, container_runtime_tmp_t, couchdb_log_t, couchdb_tmp_t, courier_exec_t, cpu_online_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_exec_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_config_exec_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_content_t, cvs_data_t, cvs_exec_t, cvs_htaccess_t, cvs_ra_content_t, cvs_rw_content_t, cvs_script_exec_t, cvs_tmp_t, cyphesis_exec_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dbusd_exec_t, dcc_client_exec_t, dcc_client_tmp_t, dcc_dbclean_exec_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, debuginfo_exec_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, depmod_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_exec_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_config_t, dirsrv_share_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_content_t, dirsrvadmin_htaccess_t, dirsrvadmin_ra_content_t, dirsrvadmin_rw_content_t, dirsrvadmin_script_exec_t, dirsrvadmin_tmp_t, disk_munin_plugin_exec_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_tmp_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_content_t, dspam_htaccess_t, dspam_log_t, dspam_ra_content_t, dspam_rw_content_t, dspam_script_exec_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_exec_t, exim_log_t, exim_tmp_t, fail2ban_client_exec_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_exec_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_exec_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_exec_t, firewallgui_tmp_t, firstboot_exec_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_exec_t, ftpdctl_tmp_t, games_exec_t, games_tmp_t, games_tmpfs_t, ganesha_tmp_t, ganesha_var_log_t, gconf_tmp_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, geoclue_tmp_t, getty_exec_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_content_t, git_htaccess_t, git_ra_content_t, git_rw_content_t, git_script_exec_t, git_script_tmp_t, git_sys_content_t, gitd_exec_t, gitosis_exec_t, gitosis_var_lib_t, gkeyringd_exec_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_agent_tmp_t, gpg_exec_t, gpg_helper_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_exec_t, groupadd_exec_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, hostname_exec_t, hsqldb_tmp_t, httpd_cache_t, httpd_config_t, httpd_exec_t, httpd_keytab_t, httpd_lock_t, httpd_log_t, httpd_modules_t, httpd_passwd_exec_t, httpd_php_tmp_t, httpd_squirrelmail_t, httpd_suexec_tmp_t, httpd_sys_content_t, httpd_sys_htaccess_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_script_exec_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_var_lib_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, iceauth_exec_t, icecast_exec_t, icecast_log_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, insmod_exec_t, install_exec_t, iotop_exec_t, ipa_cert_t, ipa_helper_exec_t, ipa_log_t, ipa_tmp_t, ipa_var_lib_t, ipa_var_run_t, ipsec_log_t, ipsec_mgmt_exec_t, ipsec_tmp_t, iptables_exec_t, iptables_tmp_t, irc_exec_t, irssi_exec_t, iscsi_log_t, iscsi_tmp_t, iso9660_t, iwhd_log_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, jockey_exec_t, jockey_var_log_t, journalctl_exec_t, kadmind_log_t, kadmind_tmp_t, kdump_exec_t, kdumpctl_tmp_t, kdumpgui_exec_t, kdumpgui_tmp_t, keepalived_unconfined_script_exec_t, keystone_cgi_content_t, keystone_cgi_htaccess_t, keystone_cgi_ra_content_t, keystone_cgi_rw_content_t, keystone_cgi_script_exec_t, keystone_log_t, keystone_tmp_t, kismet_exec_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_exec_t, livecd_tmp_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_exec_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_exec_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_exec_t, lsmd_plugin_tmp_t, lvm_exec_t, lvm_tmp_t, machineid_t, mail_munin_plugin_exec_t, mail_munin_plugin_tmp_t, mailman_archive_t, mailman_cgi_tmp_t, mailman_data_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man2html_content_t, man2html_htaccess_t, man2html_ra_content_t, man2html_rw_content_t, man2html_script_exec_t, man_cache_t, man_t, mandb_cache_t, mcelog_exec_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_content_t, mediawiki_htaccess_t, mediawiki_ra_content_t, mediawiki_rw_content_t, mediawiki_script_exec_t, mediawiki_tmp_t, mencoder_exec_t, minidlna_log_t, mirrormanager_exec_t, mirrormanager_log_t, mirrormanager_var_lib_t, mirrormanager_var_run_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, modemmanager_exec_t, mojomojo_content_t, mojomojo_htaccess_t, mojomojo_ra_content_t, mojomojo_rw_content_t, mojomojo_script_exec_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_ecryptfs_exec_t, mount_exec_t, mount_tmp_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_exec_t, mpd_log_t, mpd_tmp_t, mplayer_exec_t, mplayer_tmpfs_t, mrtg_exec_t, mrtg_log_t, mscan_tmp_t, munin_content_t, munin_etc_t, munin_htaccess_t, munin_log_t, munin_ra_content_t, munin_rw_content_t, munin_script_exec_t, munin_script_tmp_t, munin_tmp_t, mysqld_etc_t, mysqld_log_t, mysqld_tmp_t, mythtv_content_t, mythtv_htaccess_t, mythtv_ra_content_t, mythtv_rw_content_t, mythtv_script_exec_t, mythtv_var_log_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_content_t, nagios_etc_t, nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_tmp_t, nagios_htaccess_t, nagios_log_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_openshift_plugin_tmp_t, nagios_ra_content_t, nagios_rw_content_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_system_plugin_tmp_t, nagios_tmp_t, nagios_unconfined_plugin_exec_t, nagios_var_lib_t, named_checkconf_exec_t, named_exec_t, named_log_t, named_tmp_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, net_conf_t, netlabel_mgmt_exec_t, netutils_exec_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, newrole_exec_t, nova_log_t, nova_tmp_t, nscd_log_t, nsd_log_t, nsd_tmp_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, ntpdate_exec_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nutups_cgi_content_t, nutups_cgi_htaccess_t, nutups_cgi_ra_content_t, nutups_cgi_rw_content_t, nutups_cgi_script_exec_t, nx_server_tmp_t, obex_exec_t, oddjob_mkhomedir_exec_t, opendnssec_tmp_t, openhpid_log_t, openshift_cgroup_read_exec_t, openshift_cgroup_read_tmp_t, openshift_content_t, openshift_cron_tmp_t, openshift_htaccess_t, openshift_initrc_tmp_t, openshift_log_t, openshift_net_read_exec_t, openshift_ra_content_t, openshift_rw_content_t, openshift_script_exec_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, oracleasm_tmp_t, osad_log_t, pads_exec_t, pam_console_exec_t, pam_timestamp_tmp_t, passenger_exec_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, passwd_exec_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pcscd_var_run_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, pinentry_exec_t, ping_exec_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_log_t, pkcs_slotd_tmp_t, pki_log_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_ra_var_run_t, pki_tomcat_cert_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, pki_tps_var_run_t, plymouth_exec_t, plymouthd_var_log_t, podsleuth_exec_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, policykit_tmp_t, polipo_exec_t, polipo_log_t, portmap_helper_exec_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_exec_t, postfix_local_tmp_t, postfix_map_exec_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_tmp_t, postfix_showq_exec_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_exec_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, preupgrade_data_t, preupgrade_exec_t, prewikka_content_t, prewikka_htaccess_t, prewikka_ra_content_t, prewikka_rw_content_t, prewikka_script_exec_t, privoxy_log_t, proc_t, procmail_exec_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, ptchown_exec_t, public_content_rw_t, public_content_t, pulseaudio_exec_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppet_var_lib_t, puppetca_exec_t, puppetmaster_tmp_t, pwauth_exec_t, pyicqt_log_t, qdiskd_var_log_t, qemu_exec_t, qmail_tcp_env_exec_t, qpidd_tmp_t, quota_exec_t, rabbitmq_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, readahead_exec_t, realmd_exec_t, realmd_tmp_t, realmd_var_lib_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_exec_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_exec_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, rtkit_daemon_exec_t, run_init_exec_t, samba_etc_t, samba_log_t, samba_net_exec_t, samba_net_tmp_t, samba_var_t, sambagui_exec_t, sanlock_log_t, sbd_tmpfs_t, sblim_tmp_t, screen_exec_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, selinux_munin_plugin_tmp_t, semanage_exec_t, semanage_tmp_t, sendmail_exec_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_exec_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshoot_var_log_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, showmount_exec_t, slapd_cert_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbcontrol_exec_t, smbd_tmp_t, smokeping_cgi_content_t, smokeping_cgi_htaccess_t, smokeping_cgi_ra_content_t, smokeping_cgi_rw_content_t, smokeping_cgi_script_exec_t, smokeping_var_lib_t, smokeping_var_run_t, smoltclient_exec_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_exec_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_exec_t, sosreport_tmp_t, soundd_tmp_t, spamc_exec_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, spamd_update_exec_t, speech-dispatcher_exec_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_content_t, squid_cron_exec_t, squid_htaccess_t, squid_log_t, squid_ra_content_t, squid_rw_content_t, squid_script_exec_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_exec_t, ssh_agent_tmp_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keygen_tmp_t, ssh_keysign_exec_t, ssh_tmpfs_t, sssd_public_t, sssd_selinux_manager_exec_t, sssd_var_lib_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_log_t, stunnel_tmp_t, su_exec_t, sudo_exec_t, sudo_log_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svirt_tmp_t, svnserve_log_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_exec_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_exec_t, system_munin_plugin_tmp_t, systemd_passwd_var_run_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_exec_t, telepathy_gabble_tmp_t, telepathy_idle_exec_t, telepathy_idle_tmp_t, telepathy_logger_exec_t, telepathy_logger_tmp_t, telepathy_mission_control_exec_t, telepathy_mission_control_tmp_t, telepathy_msn_exec_t, telepathy_msn_tmp_t, telepathy_salut_exec_t, telepathy_salut_tmp_t, telepathy_sofiasip_exec_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_exec_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_exec_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_exec_t, thumb_tmp_t, tmp_t, tmpreaper_exec_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, traceroute_exec_t, tuned_log_t, tuned_tmp_t, tvtime_exec_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, ulogd_var_log_t, uml_exec_t, uml_tmp_t, uml_tmpfs_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, unconfined_munin_plugin_tmp_t, update_modules_exec_t, update_modules_tmp_t, updfstab_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_log_t, uucpd_tmp_t, uux_exec_t, var_lib_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virsh_exec_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_qemu_ga_unconfined_exec_t, virt_tmp_t, virt_var_lib_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_tmp_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vnstat_exec_t, vpnc_exec_t, vpnc_tmp_t, w3c_validator_content_t, w3c_validator_htaccess_t, w3c_validator_ra_content_t, w3c_validator_rw_content_t, w3c_validator_script_exec_t, w3c_validator_tmp_t, watchdog_log_t, watchdog_unconfined_exec_t, webadm_tmp_t, webalizer_content_t, webalizer_exec_t, webalizer_htaccess_t, webalizer_ra_content_t, webalizer_rw_content_t, webalizer_script_exec_t, webalizer_tmp_t, winbind_log_t, wine_exec_t, wireshark_exec_t, wireshark_tmp_t, wireshark_tmpfs_t, wpa_cli_exec_t, wtmp_t, xauth_exec_t, xauth_tmp_t, xdm_exec_t, xdm_log_t, xdm_unconfined_exec_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_script_exec_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_content_t, zoneminder_exec_t, zoneminder_htaccess_t, zoneminder_log_t, zoneminder_ra_content_t, zoneminder_rw_content_t, zoneminder_script_exec_t, zoneminder_var_lib_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/cache/nginx/.pki/nssdb/cert9.db'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that php-fpm should be allowed lock access on the cert9.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/nginx/.pki/nssdb/cert9.db [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host di-staging
Source RPM Packages php-fpm-7.2.14-1.el7.remi.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 936
First Seen 2019-03-02 16:32:29 GMT
Last Seen 2019-03-02 21:24:14 GMT
Local ID 3a672c0c-ed3b-4509-9695-49eca37e2061
Raw Audit Messages
type=AVC msg=audit(1551561854.609:568178): avc: denied { lock } for pid=3751 comm="php-fpm" path="/var/cache/nginx/.pki/nssdb/cert9.db" dev="sda2" ino=790407 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1551561854.609:568178): arch=x86_64 syscall=fcntl success=no exit=EACCES a0=8 a1=6 a2=7ffe4a3e47e0 a3=0 items=0 ppid=3450 pid=3751 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: php-fpm,httpd_t,var_t,file,lock
linux rhel security php selinux
asked 1 hour ago
turrican_34turrican_34
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
1
1
1
I have an selinux alert for the file /var/cache/nginx/.pki/nssdb/cert9.db., but I dont know what label I should give to it. The selinux report suggests hundreds of labels, but which is the correct one to allow php-fpm to have lock access on the cert9.db file.
SELinux is preventing /usr/sbin/php-fpm from lock access on the file /var/cache/nginx/.pki/nssdb/cert9.db.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow php-fpm to have lock access on the cert9.db file
Then you need to change the label on /var/cache/nginx/.pki/nssdb/cert9.db
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/nginx/.pki/nssdb/cert9.db'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_spool_t, abrt_retrace_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_exec_t, acct_data_t, acct_exec_t, admin_crontab_tmp_t, admin_passwd_exec_t, afs_logfile_t, aide_exec_t, aide_log_t, alsa_exec_t, alsa_tmp_t, amanda_exec_t, amanda_log_t, amanda_recover_exec_t, amanda_tmp_t, amtu_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_log_t, antivirus_tmp_t, apcupsd_cgi_content_t, apcupsd_cgi_htaccess_t, apcupsd_cgi_ra_content_t, apcupsd_cgi_rw_content_t, apcupsd_cgi_script_exec_t, apcupsd_log_t, apcupsd_tmp_t, apm_exec_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, audisp_exec_t, auditadm_sudo_tmp_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, automount_tmp_t, avahi_exec_t, awstats_content_t, awstats_htaccess_t, awstats_ra_content_t, awstats_rw_content_t, awstats_script_exec_t, awstats_tmp_t, bacula_admin_exec_t, bacula_log_t, bacula_tmp_t, bacula_unconfined_script_exec_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_exec_t, bluetooth_helper_exec_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_exec_t, bootloader_tmp_t, brctl_exec_t, brltty_log_t, bugzilla_content_t, bugzilla_htaccess_t, bugzilla_ra_content_t, bugzilla_rw_content_t, bugzilla_script_exec_t, bugzilla_tmp_t, calamaris_exec_t, calamaris_log_t, calamaris_www_t, callweaver_log_t, canna_log_t, cardctl_exec_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_exec_t, cdcc_tmp_t, cdrecord_exec_t, cert_t, certmaster_var_log_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_log_t, cgred_log_t, checkpc_exec_t, checkpc_log_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chronyc_exec_t, chronyd_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_etc_t, cobbler_tmp_t, cobbler_var_lib_t, cobbler_var_log_t, cockpit_tmp_t, collectd_content_t, collectd_htaccess_t, collectd_ra_content_t, collectd_rw_content_t, collectd_script_exec_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, consolekit_log_t, container_log_t, container_runtime_tmp_t, couchdb_log_t, couchdb_tmp_t, courier_exec_t, cpu_online_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_exec_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_config_exec_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_content_t, cvs_data_t, cvs_exec_t, cvs_htaccess_t, cvs_ra_content_t, cvs_rw_content_t, cvs_script_exec_t, cvs_tmp_t, cyphesis_exec_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dbusd_exec_t, dcc_client_exec_t, dcc_client_tmp_t, dcc_dbclean_exec_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, debuginfo_exec_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, depmod_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_exec_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_config_t, dirsrv_share_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_content_t, dirsrvadmin_htaccess_t, dirsrvadmin_ra_content_t, dirsrvadmin_rw_content_t, dirsrvadmin_script_exec_t, dirsrvadmin_tmp_t, disk_munin_plugin_exec_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_tmp_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_content_t, dspam_htaccess_t, dspam_log_t, dspam_ra_content_t, dspam_rw_content_t, dspam_script_exec_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_exec_t, exim_log_t, exim_tmp_t, fail2ban_client_exec_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_exec_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_exec_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_exec_t, firewallgui_tmp_t, firstboot_exec_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_exec_t, ftpdctl_tmp_t, games_exec_t, games_tmp_t, games_tmpfs_t, ganesha_tmp_t, ganesha_var_log_t, gconf_tmp_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, geoclue_tmp_t, getty_exec_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_content_t, git_htaccess_t, git_ra_content_t, git_rw_content_t, git_script_exec_t, git_script_tmp_t, git_sys_content_t, gitd_exec_t, gitosis_exec_t, gitosis_var_lib_t, gkeyringd_exec_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_agent_tmp_t, gpg_exec_t, gpg_helper_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_exec_t, groupadd_exec_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, hostname_exec_t, hsqldb_tmp_t, httpd_cache_t, httpd_config_t, httpd_exec_t, httpd_keytab_t, httpd_lock_t, httpd_log_t, httpd_modules_t, httpd_passwd_exec_t, httpd_php_tmp_t, httpd_squirrelmail_t, httpd_suexec_tmp_t, httpd_sys_content_t, httpd_sys_htaccess_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_script_exec_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_var_lib_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, iceauth_exec_t, icecast_exec_t, icecast_log_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, insmod_exec_t, install_exec_t, iotop_exec_t, ipa_cert_t, ipa_helper_exec_t, ipa_log_t, ipa_tmp_t, ipa_var_lib_t, ipa_var_run_t, ipsec_log_t, ipsec_mgmt_exec_t, ipsec_tmp_t, iptables_exec_t, iptables_tmp_t, irc_exec_t, irssi_exec_t, iscsi_log_t, iscsi_tmp_t, iso9660_t, iwhd_log_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, jockey_exec_t, jockey_var_log_t, journalctl_exec_t, kadmind_log_t, kadmind_tmp_t, kdump_exec_t, kdumpctl_tmp_t, kdumpgui_exec_t, kdumpgui_tmp_t, keepalived_unconfined_script_exec_t, keystone_cgi_content_t, keystone_cgi_htaccess_t, keystone_cgi_ra_content_t, keystone_cgi_rw_content_t, keystone_cgi_script_exec_t, keystone_log_t, keystone_tmp_t, kismet_exec_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_exec_t, livecd_tmp_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_exec_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_exec_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_exec_t, lsmd_plugin_tmp_t, lvm_exec_t, lvm_tmp_t, machineid_t, mail_munin_plugin_exec_t, mail_munin_plugin_tmp_t, mailman_archive_t, mailman_cgi_tmp_t, mailman_data_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man2html_content_t, man2html_htaccess_t, man2html_ra_content_t, man2html_rw_content_t, man2html_script_exec_t, man_cache_t, man_t, mandb_cache_t, mcelog_exec_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_content_t, mediawiki_htaccess_t, mediawiki_ra_content_t, mediawiki_rw_content_t, mediawiki_script_exec_t, mediawiki_tmp_t, mencoder_exec_t, minidlna_log_t, mirrormanager_exec_t, mirrormanager_log_t, mirrormanager_var_lib_t, mirrormanager_var_run_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, modemmanager_exec_t, mojomojo_content_t, mojomojo_htaccess_t, mojomojo_ra_content_t, mojomojo_rw_content_t, mojomojo_script_exec_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_ecryptfs_exec_t, mount_exec_t, mount_tmp_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_exec_t, mpd_log_t, mpd_tmp_t, mplayer_exec_t, mplayer_tmpfs_t, mrtg_exec_t, mrtg_log_t, mscan_tmp_t, munin_content_t, munin_etc_t, munin_htaccess_t, munin_log_t, munin_ra_content_t, munin_rw_content_t, munin_script_exec_t, munin_script_tmp_t, munin_tmp_t, mysqld_etc_t, mysqld_log_t, mysqld_tmp_t, mythtv_content_t, mythtv_htaccess_t, mythtv_ra_content_t, mythtv_rw_content_t, mythtv_script_exec_t, mythtv_var_log_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_content_t, nagios_etc_t, nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_tmp_t, nagios_htaccess_t, nagios_log_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_openshift_plugin_tmp_t, nagios_ra_content_t, nagios_rw_content_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_system_plugin_tmp_t, nagios_tmp_t, nagios_unconfined_plugin_exec_t, nagios_var_lib_t, named_checkconf_exec_t, named_exec_t, named_log_t, named_tmp_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, net_conf_t, netlabel_mgmt_exec_t, netutils_exec_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, newrole_exec_t, nova_log_t, nova_tmp_t, nscd_log_t, nsd_log_t, nsd_tmp_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, ntpdate_exec_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nutups_cgi_content_t, nutups_cgi_htaccess_t, nutups_cgi_ra_content_t, nutups_cgi_rw_content_t, nutups_cgi_script_exec_t, nx_server_tmp_t, obex_exec_t, oddjob_mkhomedir_exec_t, opendnssec_tmp_t, openhpid_log_t, openshift_cgroup_read_exec_t, openshift_cgroup_read_tmp_t, openshift_content_t, openshift_cron_tmp_t, openshift_htaccess_t, openshift_initrc_tmp_t, openshift_log_t, openshift_net_read_exec_t, openshift_ra_content_t, openshift_rw_content_t, openshift_script_exec_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, oracleasm_tmp_t, osad_log_t, pads_exec_t, pam_console_exec_t, pam_timestamp_tmp_t, passenger_exec_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, passwd_exec_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pcscd_var_run_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, pinentry_exec_t, ping_exec_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_log_t, pkcs_slotd_tmp_t, pki_log_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_ra_var_run_t, pki_tomcat_cert_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, pki_tps_var_run_t, plymouth_exec_t, plymouthd_var_log_t, podsleuth_exec_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, policykit_tmp_t, polipo_exec_t, polipo_log_t, portmap_helper_exec_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_exec_t, postfix_local_tmp_t, postfix_map_exec_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_tmp_t, postfix_showq_exec_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_exec_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, preupgrade_data_t, preupgrade_exec_t, prewikka_content_t, prewikka_htaccess_t, prewikka_ra_content_t, prewikka_rw_content_t, prewikka_script_exec_t, privoxy_log_t, proc_t, procmail_exec_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, ptchown_exec_t, public_content_rw_t, public_content_t, pulseaudio_exec_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppet_var_lib_t, puppetca_exec_t, puppetmaster_tmp_t, pwauth_exec_t, pyicqt_log_t, qdiskd_var_log_t, qemu_exec_t, qmail_tcp_env_exec_t, qpidd_tmp_t, quota_exec_t, rabbitmq_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, readahead_exec_t, realmd_exec_t, realmd_tmp_t, realmd_var_lib_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_exec_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_exec_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, rtkit_daemon_exec_t, run_init_exec_t, samba_etc_t, samba_log_t, samba_net_exec_t, samba_net_tmp_t, samba_var_t, sambagui_exec_t, sanlock_log_t, sbd_tmpfs_t, sblim_tmp_t, screen_exec_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, selinux_munin_plugin_tmp_t, semanage_exec_t, semanage_tmp_t, sendmail_exec_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_exec_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshoot_var_log_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, showmount_exec_t, slapd_cert_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbcontrol_exec_t, smbd_tmp_t, smokeping_cgi_content_t, smokeping_cgi_htaccess_t, smokeping_cgi_ra_content_t, smokeping_cgi_rw_content_t, smokeping_cgi_script_exec_t, smokeping_var_lib_t, smokeping_var_run_t, smoltclient_exec_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_exec_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_exec_t, sosreport_tmp_t, soundd_tmp_t, spamc_exec_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, spamd_update_exec_t, speech-dispatcher_exec_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_content_t, squid_cron_exec_t, squid_htaccess_t, squid_log_t, squid_ra_content_t, squid_rw_content_t, squid_script_exec_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_exec_t, ssh_agent_tmp_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keygen_tmp_t, ssh_keysign_exec_t, ssh_tmpfs_t, sssd_public_t, sssd_selinux_manager_exec_t, sssd_var_lib_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_log_t, stunnel_tmp_t, su_exec_t, sudo_exec_t, sudo_log_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svirt_tmp_t, svnserve_log_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_exec_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_exec_t, system_munin_plugin_tmp_t, systemd_passwd_var_run_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_exec_t, telepathy_gabble_tmp_t, telepathy_idle_exec_t, telepathy_idle_tmp_t, telepathy_logger_exec_t, telepathy_logger_tmp_t, telepathy_mission_control_exec_t, telepathy_mission_control_tmp_t, telepathy_msn_exec_t, telepathy_msn_tmp_t, telepathy_salut_exec_t, telepathy_salut_tmp_t, telepathy_sofiasip_exec_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_exec_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_exec_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_exec_t, thumb_tmp_t, tmp_t, tmpreaper_exec_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, traceroute_exec_t, tuned_log_t, tuned_tmp_t, tvtime_exec_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, ulogd_var_log_t, uml_exec_t, uml_tmp_t, uml_tmpfs_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, unconfined_munin_plugin_tmp_t, update_modules_exec_t, update_modules_tmp_t, updfstab_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_log_t, uucpd_tmp_t, uux_exec_t, var_lib_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virsh_exec_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_qemu_ga_unconfined_exec_t, virt_tmp_t, virt_var_lib_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_tmp_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vnstat_exec_t, vpnc_exec_t, vpnc_tmp_t, w3c_validator_content_t, w3c_validator_htaccess_t, w3c_validator_ra_content_t, w3c_validator_rw_content_t, w3c_validator_script_exec_t, w3c_validator_tmp_t, watchdog_log_t, watchdog_unconfined_exec_t, webadm_tmp_t, webalizer_content_t, webalizer_exec_t, webalizer_htaccess_t, webalizer_ra_content_t, webalizer_rw_content_t, webalizer_script_exec_t, webalizer_tmp_t, winbind_log_t, wine_exec_t, wireshark_exec_t, wireshark_tmp_t, wireshark_tmpfs_t, wpa_cli_exec_t, wtmp_t, xauth_exec_t, xauth_tmp_t, xdm_exec_t, xdm_log_t, xdm_unconfined_exec_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_script_exec_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_content_t, zoneminder_exec_t, zoneminder_htaccess_t, zoneminder_log_t, zoneminder_ra_content_t, zoneminder_rw_content_t, zoneminder_script_exec_t, zoneminder_var_lib_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/cache/nginx/.pki/nssdb/cert9.db'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that php-fpm should be allowed lock access on the cert9.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/nginx/.pki/nssdb/cert9.db [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host di-staging
Source RPM Packages php-fpm-7.2.14-1.el7.remi.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 936
First Seen 2019-03-02 16:32:29 GMT
Last Seen 2019-03-02 21:24:14 GMT
Local ID 3a672c0c-ed3b-4509-9695-49eca37e2061
Raw Audit Messages
type=AVC msg=audit(1551561854.609:568178): avc: denied { lock } for pid=3751 comm="php-fpm" path="/var/cache/nginx/.pki/nssdb/cert9.db" dev="sda2" ino=790407 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1551561854.609:568178): arch=x86_64 syscall=fcntl success=no exit=EACCES a0=8 a1=6 a2=7ffe4a3e47e0 a3=0 items=0 ppid=3450 pid=3751 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: php-fpm,httpd_t,var_t,file,lock
linux rhel security php selinux
asked 1 hour ago
turrican_34turrican_34
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I have an selinux alert for the file /var/cache/nginx/.pki/nssdb/cert9.db., but I dont know what label I should give to it. The selinux report suggests hundreds of labels, but which is the correct one to allow php-fpm to have lock access on the cert9.db file.
SELinux is preventing /usr/sbin/php-fpm from lock access on the file /var/cache/nginx/.pki/nssdb/cert9.db.
***** Plugin catchall_labels (83.8 confidence) suggests *******************
If you want to allow php-fpm to have lock access on the cert9.db file
Then you need to change the label on /var/cache/nginx/.pki/nssdb/cert9.db
Do
# semanage fcontext -a -t FILE_TYPE '/var/cache/nginx/.pki/nssdb/cert9.db'
where FILE_TYPE is one of the following: NetworkManager_exec_t, NetworkManager_log_t, NetworkManager_tmp_t, abrt_dump_oops_exec_t, abrt_etc_t, abrt_exec_t, abrt_handle_event_exec_t, abrt_helper_exec_t, abrt_retrace_coredump_exec_t, abrt_retrace_spool_t, abrt_retrace_worker_exec_t, abrt_tmp_t, abrt_upload_watch_tmp_t, abrt_var_cache_t, abrt_var_log_t, abrt_var_run_t, accountsd_exec_t, acct_data_t, acct_exec_t, admin_crontab_tmp_t, admin_passwd_exec_t, afs_logfile_t, aide_exec_t, aide_log_t, alsa_exec_t, alsa_tmp_t, amanda_exec_t, amanda_log_t, amanda_recover_exec_t, amanda_tmp_t, amtu_exec_t, anacron_exec_t, anon_inodefs_t, antivirus_log_t, antivirus_tmp_t, apcupsd_cgi_content_t, apcupsd_cgi_htaccess_t, apcupsd_cgi_ra_content_t, apcupsd_cgi_rw_content_t, apcupsd_cgi_script_exec_t, apcupsd_log_t, apcupsd_tmp_t, apm_exec_t, apmd_log_t, apmd_tmp_t, arpwatch_tmp_t, asterisk_log_t, asterisk_tmp_t, audisp_exec_t, auditadm_sudo_tmp_t, auditctl_exec_t, auth_cache_t, authconfig_exec_t, automount_tmp_t, avahi_exec_t, awstats_content_t, awstats_htaccess_t, awstats_ra_content_t, awstats_rw_content_t, awstats_script_exec_t, awstats_tmp_t, bacula_admin_exec_t, bacula_log_t, bacula_tmp_t, bacula_unconfined_script_exec_t, bin_t, bitlbee_log_t, bitlbee_tmp_t, blueman_exec_t, bluetooth_helper_exec_t, bluetooth_helper_tmp_t, bluetooth_helper_tmpfs_t, bluetooth_tmp_t, boinc_log_t, boinc_project_tmp_t, boinc_tmp_t, boot_t, bootloader_exec_t, bootloader_tmp_t, brctl_exec_t, brltty_log_t, bugzilla_content_t, bugzilla_htaccess_t, bugzilla_ra_content_t, bugzilla_rw_content_t, bugzilla_script_exec_t, bugzilla_tmp_t, calamaris_exec_t, calamaris_log_t, calamaris_www_t, callweaver_log_t, canna_log_t, cardctl_exec_t, cardmgr_dev_t, ccs_tmp_t, ccs_var_lib_t, ccs_var_log_t, cdcc_exec_t, cdcc_tmp_t, cdrecord_exec_t, cert_t, certmaster_var_log_t, certmonger_unconfined_exec_t, certwatch_exec_t, cfengine_log_t, cgred_log_t, checkpc_exec_t, checkpc_log_t, checkpolicy_exec_t, chfn_exec_t, chkpwd_exec_t, chrome_sandbox_exec_t, chrome_sandbox_nacl_exec_t, chrome_sandbox_tmp_t, chronyc_exec_t, chronyd_tmp_t, chronyd_var_log_t, cinder_api_tmp_t, cinder_backup_tmp_t, cinder_log_t, cinder_scheduler_tmp_t, cinder_volume_tmp_t, cloud_init_tmp_t, cloud_log_t, cluster_conf_t, cluster_tmp_t, cluster_var_lib_t, cluster_var_log_t, cluster_var_run_t, cobbler_etc_t, cobbler_tmp_t, cobbler_var_lib_t, cobbler_var_log_t, cockpit_tmp_t, collectd_content_t, collectd_htaccess_t, collectd_ra_content_t, collectd_rw_content_t, collectd_script_exec_t, collectd_script_tmp_t, colord_exec_t, colord_tmp_t, comsat_tmp_t, condor_log_t, condor_master_tmp_t, condor_schedd_tmp_t, condor_startd_tmp_t, conman_log_t, conman_tmp_t, conman_unconfined_script_exec_t, consolehelper_exec_t, consolekit_exec_t, consolekit_log_t, container_log_t, container_runtime_tmp_t, couchdb_log_t, couchdb_tmp_t, courier_exec_t, cpu_online_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuspeed_exec_t, crack_exec_t, crack_tmp_t, cron_log_t, crond_tmp_t, crontab_exec_t, crontab_tmp_t, ctdbd_log_t, ctdbd_tmp_t, cups_pdf_tmp_t, cupsd_config_exec_t, cupsd_log_t, cupsd_lpd_tmp_t, cupsd_tmp_t, cvs_content_t, cvs_data_t, cvs_exec_t, cvs_htaccess_t, cvs_ra_content_t, cvs_rw_content_t, cvs_script_exec_t, cvs_tmp_t, cyphesis_exec_t, cyphesis_log_t, cyphesis_tmp_t, cyrus_tmp_t, dbadm_sudo_tmp_t, dbskkd_tmp_t, dbusd_etc_t, dbusd_exec_t, dcc_client_exec_t, dcc_client_tmp_t, dcc_dbclean_exec_t, dcc_dbclean_tmp_t, dccd_tmp_t, dccifd_tmp_t, dccm_tmp_t, ddclient_log_t, ddclient_tmp_t, debuginfo_exec_t, deltacloudd_log_t, deltacloudd_tmp_t, denyhosts_var_log_t, depmod_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, devicekit_tmp_t, devicekit_var_log_t, dhcpc_exec_t, dhcpc_tmp_t, dhcpd_tmp_t, dirsrv_config_t, dirsrv_share_t, dirsrv_snmp_var_log_t, dirsrv_tmp_t, dirsrv_var_log_t, dirsrv_var_run_t, dirsrvadmin_config_t, dirsrvadmin_content_t, dirsrvadmin_htaccess_t, dirsrvadmin_ra_content_t, dirsrvadmin_rw_content_t, dirsrvadmin_script_exec_t, dirsrvadmin_tmp_t, disk_munin_plugin_exec_t, disk_munin_plugin_tmp_t, dkim_milter_tmp_t, dlm_controld_var_log_t, dmesg_exec_t, dmidecode_exec_t, dnsmasq_tmp_t, dnsmasq_var_log_t, dnssec_trigger_tmp_t, dovecot_auth_tmp_t, dovecot_deliver_tmp_t, dovecot_tmp_t, dovecot_var_log_t, drbd_tmp_t, dspam_content_t, dspam_htaccess_t, dspam_log_t, dspam_ra_content_t, dspam_rw_content_t, dspam_script_exec_t, etc_runtime_t, etc_t, evtchnd_var_log_t, exim_exec_t, exim_log_t, exim_tmp_t, fail2ban_client_exec_t, fail2ban_log_t, fail2ban_tmp_t, fail2ban_var_lib_t, faillog_t, fenced_tmp_t, fenced_var_log_t, fetchmail_exec_t, fetchmail_log_t, file_context_t, fingerd_log_t, firewalld_exec_t, firewalld_tmp_t, firewalld_var_log_t, firewallgui_exec_t, firewallgui_tmp_t, firstboot_exec_t, foghorn_var_log_t, fonts_cache_t, fonts_t, fprintd_exec_t, freqset_exec_t, fsadm_exec_t, fsadm_log_t, fsadm_tmp_t, fsdaemon_tmp_t, ftpd_tmp_t, ftpdctl_exec_t, ftpdctl_tmp_t, games_exec_t, games_tmp_t, games_tmpfs_t, ganesha_tmp_t, ganesha_var_log_t, gconf_tmp_t, gconfd_exec_t, gconfdefaultsm_exec_t, geoclue_exec_t, geoclue_tmp_t, getty_exec_t, getty_log_t, getty_tmp_t, gfs_controld_var_log_t, git_content_t, git_htaccess_t, git_ra_content_t, git_rw_content_t, git_script_exec_t, git_script_tmp_t, git_sys_content_t, gitd_exec_t, gitosis_exec_t, gitosis_var_lib_t, gkeyringd_exec_t, gkeyringd_tmp_t, glance_log_t, glance_registry_tmp_t, glance_tmp_t, glusterd_log_t, glusterd_tmp_t, gnomesystemmm_exec_t, gpg_agent_exec_t, gpg_agent_tmp_t, gpg_exec_t, gpg_helper_exec_t, gpg_pinentry_tmp_t, gpg_pinentry_tmpfs_t, gpm_tmp_t, gpsd_exec_t, groupadd_exec_t, groupd_var_log_t, gssd_tmp_t, haproxy_var_log_t, hostname_etc_t, hostname_exec_t, hsqldb_tmp_t, httpd_cache_t, httpd_config_t, httpd_exec_t, httpd_keytab_t, httpd_lock_t, httpd_log_t, httpd_modules_t, httpd_passwd_exec_t, httpd_php_tmp_t, httpd_squirrelmail_t, httpd_suexec_tmp_t, httpd_sys_content_t, httpd_sys_htaccess_t, httpd_sys_ra_content_t, httpd_sys_rw_content_t, httpd_sys_script_exec_t, httpd_tmp_t, httpd_tmpfs_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, httpd_var_lib_t, httpd_var_run_t, hugetlbfs_t, hwclock_exec_t, hwloc_dhwd_exec_t, iceauth_exec_t, icecast_exec_t, icecast_log_t, ifconfig_exec_t, inetd_child_tmp_t, inetd_log_t, inetd_tmp_t, init_tmp_t, initrc_tmp_t, initrc_var_log_t, innd_log_t, insmod_exec_t, install_exec_t, iotop_exec_t, ipa_cert_t, ipa_helper_exec_t, ipa_log_t, ipa_tmp_t, ipa_var_lib_t, ipa_var_run_t, ipsec_log_t, ipsec_mgmt_exec_t, ipsec_tmp_t, iptables_exec_t, iptables_tmp_t, irc_exec_t, irssi_exec_t, iscsi_log_t, iscsi_tmp_t, iso9660_t, iwhd_log_t, jetty_cache_t, jetty_log_t, jetty_var_lib_t, jetty_var_run_t, jockey_exec_t, jockey_var_log_t, journalctl_exec_t, kadmind_log_t, kadmind_tmp_t, kdump_exec_t, kdumpctl_tmp_t, kdumpgui_exec_t, kdumpgui_tmp_t, keepalived_unconfined_script_exec_t, keystone_cgi_content_t, keystone_cgi_htaccess_t, keystone_cgi_ra_content_t, keystone_cgi_rw_content_t, keystone_cgi_script_exec_t, keystone_log_t, keystone_tmp_t, kismet_exec_t, kismet_log_t, kismet_tmp_t, kismet_tmpfs_t, klogd_tmp_t, krb5_conf_t, krb5_host_rcache_t, krb5_keytab_t, krb5kdc_conf_t, krb5kdc_log_t, krb5kdc_tmp_t, ksmtuned_log_t, ktalkd_log_t, ktalkd_tmp_t, l2tpd_tmp_t, lastlog_t, ld_so_cache_t, ldconfig_exec_t, ldconfig_tmp_t, lib_t, livecd_exec_t, livecd_tmp_t, load_policy_exec_t, loadkeys_exec_t, locale_t, locate_exec_t, lockdev_exec_t, login_exec_t, logrotate_mail_tmp_t, logrotate_tmp_t, logwatch_exec_t, logwatch_mail_tmp_t, logwatch_tmp_t, lpd_tmp_t, lpr_exec_t, lpr_tmp_t, lsassd_tmp_t, lsmd_plugin_exec_t, lsmd_plugin_tmp_t, lvm_exec_t, lvm_tmp_t, machineid_t, mail_munin_plugin_exec_t, mail_munin_plugin_tmp_t, mailman_archive_t, mailman_cgi_tmp_t, mailman_data_t, mailman_log_t, mailman_mail_tmp_t, mailman_queue_tmp_t, man2html_content_t, man2html_htaccess_t, man2html_ra_content_t, man2html_rw_content_t, man2html_script_exec_t, man_cache_t, man_t, mandb_cache_t, mcelog_exec_t, mcelog_log_t, mdadm_log_t, mdadm_tmp_t, mediawiki_content_t, mediawiki_htaccess_t, mediawiki_ra_content_t, mediawiki_rw_content_t, mediawiki_script_exec_t, mediawiki_tmp_t, mencoder_exec_t, minidlna_log_t, mirrormanager_exec_t, mirrormanager_log_t, mirrormanager_var_lib_t, mirrormanager_var_run_t, mock_build_exec_t, mock_exec_t, mock_tmp_t, modemmanager_exec_t, mojomojo_content_t, mojomojo_htaccess_t, mojomojo_ra_content_t, mojomojo_rw_content_t, mojomojo_script_exec_t, mojomojo_tmp_t, mongod_log_t, mongod_tmp_t, motion_log_t, mount_ecryptfs_exec_t, mount_exec_t, mount_tmp_t, mozilla_exec_t, mozilla_plugin_config_exec_t, mozilla_plugin_exec_t, mozilla_plugin_tmp_t, mozilla_plugin_tmpfs_t, mozilla_tmp_t, mozilla_tmpfs_t, mpd_exec_t, mpd_log_t, mpd_tmp_t, mplayer_exec_t, mplayer_tmpfs_t, mrtg_exec_t, mrtg_log_t, mscan_tmp_t, munin_content_t, munin_etc_t, munin_htaccess_t, munin_log_t, munin_ra_content_t, munin_rw_content_t, munin_script_exec_t, munin_script_tmp_t, munin_tmp_t, mysqld_etc_t, mysqld_log_t, mysqld_tmp_t, mythtv_content_t, mythtv_htaccess_t, mythtv_ra_content_t, mythtv_rw_content_t, mythtv_script_exec_t, mythtv_var_log_t, nagios_admin_plugin_exec_t, nagios_checkdisk_plugin_exec_t, nagios_content_t, nagios_etc_t, nagios_eventhandler_plugin_exec_t, nagios_eventhandler_plugin_tmp_t, nagios_htaccess_t, nagios_log_t, nagios_mail_plugin_exec_t, nagios_openshift_plugin_exec_t, nagios_openshift_plugin_tmp_t, nagios_ra_content_t, nagios_rw_content_t, nagios_script_exec_t, nagios_services_plugin_exec_t, nagios_system_plugin_exec_t, nagios_system_plugin_tmp_t, nagios_tmp_t, nagios_unconfined_plugin_exec_t, nagios_var_lib_t, named_checkconf_exec_t, named_exec_t, named_log_t, named_tmp_t, namespace_init_exec_t, ncftool_exec_t, ndc_exec_t, net_conf_t, netlabel_mgmt_exec_t, netutils_exec_t, netutils_tmp_t, neutron_log_t, neutron_tmp_t, newrole_exec_t, nova_log_t, nova_tmp_t, nscd_log_t, nsd_log_t, nsd_tmp_t, ntop_tmp_t, ntpd_log_t, ntpd_tmp_t, ntpdate_exec_t, numad_var_log_t, nut_upsd_tmp_t, nut_upsdrvctl_tmp_t, nut_upsmon_tmp_t, nutups_cgi_content_t, nutups_cgi_htaccess_t, nutups_cgi_ra_content_t, nutups_cgi_rw_content_t, nutups_cgi_script_exec_t, nx_server_tmp_t, obex_exec_t, oddjob_mkhomedir_exec_t, opendnssec_tmp_t, openhpid_log_t, openshift_cgroup_read_exec_t, openshift_cgroup_read_tmp_t, openshift_content_t, openshift_cron_tmp_t, openshift_htaccess_t, openshift_initrc_tmp_t, openshift_log_t, openshift_net_read_exec_t, openshift_ra_content_t, openshift_rw_content_t, openshift_script_exec_t, openshift_tmp_t, opensm_log_t, openvpn_status_t, openvpn_tmp_t, openvpn_var_log_t, openvswitch_log_t, openvswitch_tmp_t, openwsman_log_t, openwsman_tmp_t, oracleasm_tmp_t, osad_log_t, pads_exec_t, pam_console_exec_t, pam_timestamp_tmp_t, passenger_exec_t, passenger_log_t, passenger_tmp_t, passenger_var_lib_t, passenger_var_run_t, passwd_exec_t, passwd_file_t, pcp_log_t, pcp_tmp_t, pcscd_var_run_t, pegasus_openlmi_storage_tmp_t, pegasus_tmp_t, pesign_tmp_t, pinentry_exec_t, ping_exec_t, piranha_log_t, piranha_web_tmp_t, pkcs_slotd_log_t, pkcs_slotd_tmp_t, pki_log_t, pki_ra_etc_rw_t, pki_ra_log_t, pki_ra_var_lib_t, pki_ra_var_run_t, pki_tomcat_cert_t, pki_tomcat_log_t, pki_tomcat_tmp_t, pki_tps_etc_rw_t, pki_tps_log_t, pki_tps_var_lib_t, pki_tps_var_run_t, plymouth_exec_t, plymouthd_var_log_t, podsleuth_exec_t, podsleuth_tmp_t, podsleuth_tmpfs_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, policykit_tmp_t, polipo_exec_t, polipo_log_t, portmap_helper_exec_t, portmap_tmp_t, postfix_bounce_tmp_t, postfix_cleanup_tmp_t, postfix_exec_t, postfix_local_tmp_t, postfix_map_exec_t, postfix_map_tmp_t, postfix_pickup_tmp_t, postfix_pipe_tmp_t, postfix_postdrop_exec_t, postfix_postdrop_t, postfix_postqueue_exec_t, postfix_qmgr_tmp_t, postfix_showq_exec_t, postfix_smtp_tmp_t, postfix_smtpd_tmp_t, postfix_virtual_tmp_t, postgresql_log_t, postgresql_tmp_t, pppd_exec_t, pppd_log_t, pppd_tmp_t, pptp_log_t, prelink_exec_t, prelink_log_t, prelink_tmp_t, prelude_lml_tmp_t, prelude_log_t, preupgrade_data_t, preupgrade_exec_t, prewikka_content_t, prewikka_htaccess_t, prewikka_ra_content_t, prewikka_rw_content_t, prewikka_script_exec_t, privoxy_log_t, proc_t, procmail_exec_t, procmail_log_t, procmail_tmp_t, prosody_log_t, prosody_tmp_t, psad_tmp_t, psad_var_log_t, ptchown_exec_t, public_content_rw_t, public_content_t, pulseaudio_exec_t, pulseaudio_tmpfs_t, puppet_log_t, puppet_tmp_t, puppet_var_lib_t, puppetca_exec_t, puppetmaster_tmp_t, pwauth_exec_t, pyicqt_log_t, qdiskd_var_log_t, qemu_exec_t, qmail_tcp_env_exec_t, qpidd_tmp_t, quota_exec_t, rabbitmq_tmp_t, rabbitmq_var_log_t, racoon_tmp_t, radiusd_log_t, readahead_exec_t, realmd_exec_t, realmd_tmp_t, realmd_var_lib_t, redis_log_t, rhev_agentd_log_t, rhev_agentd_tmp_t, rhsmcertd_exec_t, rhsmcertd_log_t, rhsmcertd_tmp_t, ricci_modcluster_var_log_t, ricci_tmp_t, ricci_var_log_t, rkhunter_var_lib_t, rlogind_tmp_t, rpcbind_tmp_t, rpm_exec_t, rpm_log_t, rpm_script_tmp_t, rpm_tmp_t, rssh_chroot_helper_exec_t, rssh_exec_t, rsync_exec_t, rsync_log_t, rsync_tmp_t, rtas_errd_log_t, rtas_errd_tmp_t, rtkit_daemon_exec_t, run_init_exec_t, samba_etc_t, samba_log_t, samba_net_exec_t, samba_net_tmp_t, samba_var_t, sambagui_exec_t, sanlock_log_t, sbd_tmpfs_t, sblim_tmp_t, screen_exec_t, secadm_sudo_tmp_t, sectool_tmp_t, sectool_var_log_t, sectoolm_exec_t, security_t, selinux_munin_plugin_exec_t, selinux_munin_plugin_tmp_t, semanage_exec_t, semanage_tmp_t, sendmail_exec_t, sendmail_log_t, sendmail_tmp_t, sensord_log_t, services_munin_plugin_exec_t, services_munin_plugin_tmp_t, session_dbusd_tmp_t, setfiles_exec_t, setkey_exec_t, setroubleshoot_fixit_exec_t, setroubleshoot_var_log_t, setroubleshootd_exec_t, setsebool_exec_t, seunshare_exec_t, sge_job_exec_t, sge_shepherd_exec_t, sge_tmp_t, shell_exec_t, shorewall_log_t, shorewall_tmp_t, showmount_exec_t, slapd_cert_t, slapd_log_t, slapd_tmp_t, slpd_log_t, smbcontrol_exec_t, smbd_tmp_t, smokeping_cgi_content_t, smokeping_cgi_htaccess_t, smokeping_cgi_ra_content_t, smokeping_cgi_rw_content_t, smokeping_cgi_script_exec_t, smokeping_var_lib_t, smokeping_var_run_t, smoltclient_exec_t, smoltclient_tmp_t, smsd_log_t, smsd_tmp_t, snapperd_exec_t, snapperd_log_t, snmpd_log_t, snort_log_t, snort_tmp_t, sosreport_exec_t, sosreport_tmp_t, soundd_tmp_t, spamc_exec_t, spamc_tmp_t, spamd_log_t, spamd_tmp_t, spamd_update_exec_t, speech-dispatcher_exec_t, speech-dispatcher_log_t, speech-dispatcher_tmp_t, squid_content_t, squid_cron_exec_t, squid_htaccess_t, squid_log_t, squid_ra_content_t, squid_rw_content_t, squid_script_exec_t, squid_tmp_t, squirrelmail_spool_t, src_t, ssh_agent_exec_t, ssh_agent_tmp_t, ssh_exec_t, ssh_keygen_exec_t, ssh_keygen_tmp_t, ssh_keysign_exec_t, ssh_tmpfs_t, sssd_public_t, sssd_selinux_manager_exec_t, sssd_var_lib_t, sssd_var_log_t, staff_sudo_tmp_t, stapserver_log_t, stapserver_tmp_t, stunnel_log_t, stunnel_tmp_t, su_exec_t, sudo_exec_t, sudo_log_t, sulogin_exec_t, svc_multilog_exec_t, svc_run_exec_t, svc_start_exec_t, svirt_tmp_t, svnserve_log_t, svnserve_tmp_t, swat_tmp_t, swift_tmp_t, sysadm_passwd_tmp_t, sysadm_sudo_tmp_t, sysfs_t, syslogd_tmp_t, sysstat_exec_t, sysstat_log_t, system_conf_t, system_cronjob_tmp_t, system_db_t, system_dbusd_tmp_t, system_dbusd_var_lib_t, system_mail_tmp_t, system_munin_plugin_exec_t, system_munin_plugin_tmp_t, systemd_passwd_var_run_t, targetd_tmp_t, tcpd_tmp_t, telepathy_gabble_exec_t, telepathy_gabble_tmp_t, telepathy_idle_exec_t, telepathy_idle_tmp_t, telepathy_logger_exec_t, telepathy_logger_tmp_t, telepathy_mission_control_exec_t, telepathy_mission_control_tmp_t, telepathy_msn_exec_t, telepathy_msn_tmp_t, telepathy_salut_exec_t, telepathy_salut_tmp_t, telepathy_sofiasip_exec_t, telepathy_sofiasip_tmp_t, telepathy_stream_engine_exec_t, telepathy_stream_engine_tmp_t, telepathy_sunshine_exec_t, telepathy_sunshine_tmp_t, telnetd_tmp_t, tetex_data_t, textrel_shlib_t, tgtd_tmp_t, thin_aeolus_configserver_log_t, thin_log_t, thumb_exec_t, thumb_tmp_t, tmp_t, tmpreaper_exec_t, tomcat_log_t, tomcat_tmp_t, tor_var_log_t, traceroute_exec_t, tuned_log_t, tuned_tmp_t, tvtime_exec_t, tvtime_tmp_t, tvtime_tmpfs_t, udev_tmp_t, udev_var_run_t, ulogd_var_log_t, uml_exec_t, uml_tmp_t, uml_tmpfs_t, unconfined_exec_t, unconfined_munin_plugin_exec_t, unconfined_munin_plugin_tmp_t, update_modules_exec_t, update_modules_tmp_t, updfstab_exec_t, usbmodules_exec_t, usbmuxd_exec_t, user_cron_spool_t, user_fonts_t, user_mail_tmp_t, user_tmp_t, useradd_exec_t, userhelper_exec_t, usernetctl_exec_t, usr_t, utempter_exec_t, uucpd_log_t, uucpd_tmp_t, uux_exec_t, var_lib_t, var_log_t, var_spool_t, varnishd_tmp_t, varnishlog_log_t, vdagent_log_t, virsh_exec_t, virt_log_t, virt_qemu_ga_log_t, virt_qemu_ga_tmp_t, virt_qemu_ga_unconfined_exec_t, virt_tmp_t, virt_var_lib_t, virtd_lxc_exec_t, vlock_exec_t, vmtools_helper_exec_t, vmtools_tmp_t, vmtools_unconfined_exec_t, vmware_exec_t, vmware_host_tmp_t, vmware_log_t, vmware_tmp_t, vmware_tmpfs_t, vnstat_exec_t, vpnc_exec_t, vpnc_tmp_t, w3c_validator_content_t, w3c_validator_htaccess_t, w3c_validator_ra_content_t, w3c_validator_rw_content_t, w3c_validator_script_exec_t, w3c_validator_tmp_t, watchdog_log_t, watchdog_unconfined_exec_t, webadm_tmp_t, webalizer_content_t, webalizer_exec_t, webalizer_htaccess_t, webalizer_ra_content_t, webalizer_rw_content_t, webalizer_script_exec_t, webalizer_tmp_t, winbind_log_t, wine_exec_t, wireshark_exec_t, wireshark_tmp_t, wireshark_tmpfs_t, wpa_cli_exec_t, wtmp_t, xauth_exec_t, xauth_tmp_t, xdm_exec_t, xdm_log_t, xdm_unconfined_exec_t, xend_tmp_t, xend_var_log_t, xenstored_tmp_t, xenstored_var_log_t, xferlog_t, xserver_exec_t, xserver_log_t, xserver_tmpfs_t, ypbind_tmp_t, ypserv_tmp_t, zabbix_log_t, zabbix_script_exec_t, zabbix_tmp_t, zarafa_deliver_log_t, zarafa_deliver_tmp_t, zarafa_gateway_log_t, zarafa_ical_log_t, zarafa_indexer_log_t, zarafa_indexer_tmp_t, zarafa_monitor_log_t, zarafa_server_log_t, zarafa_server_tmp_t, zarafa_spooler_log_t, zarafa_var_lib_t, zebra_log_t, zebra_tmp_t, zoneminder_content_t, zoneminder_exec_t, zoneminder_htaccess_t, zoneminder_log_t, zoneminder_ra_content_t, zoneminder_rw_content_t, zoneminder_script_exec_t, zoneminder_var_lib_t, zos_remote_exec_t.
Then execute:
restorecon -v '/var/cache/nginx/.pki/nssdb/cert9.db'
***** Plugin catchall (17.1 confidence) suggests **************************
If you believe that php-fpm should be allowed lock access on the cert9.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:var_t:s0
Target Objects /var/cache/nginx/.pki/nssdb/cert9.db [ file ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host di-staging
Source RPM Packages php-fpm-7.2.14-1.el7.remi.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 936
First Seen 2019-03-02 16:32:29 GMT
Last Seen 2019-03-02 21:24:14 GMT
Local ID 3a672c0c-ed3b-4509-9695-49eca37e2061
Raw Audit Messages
type=AVC msg=audit(1551561854.609:568178): avc: denied { lock } for pid=3751 comm="php-fpm" path="/var/cache/nginx/.pki/nssdb/cert9.db" dev="sda2" ino=790407 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1551561854.609:568178): arch=x86_64 syscall=fcntl success=no exit=EACCES a0=8 a1=6 a2=7ffe4a3e47e0 a3=0 items=0 ppid=3450 pid=3751 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: php-fpm,httpd_t,var_t,file,lock
linux rhel security php selinux
linux rhel security php selinux
asked 1 hour ago
turrican_34turrican_34
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
turrican_34turrican_34
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
turrican_34turrican_34
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 1 hour ago
turrican_34turrican_34
61
asked 1 hour ago
turrican_34turrican_34
61
61
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
turrican_34 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
turrican_34 is a new contributor. Be nice, and check out our Code of Conduct.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504013%2fselinux-is-preventing-usr-sbin-php-fpm-from-lock-access-on-the-file-cert9-db%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
turrican_34 is a new contributor. Be nice, and check out our Code of Conduct.
draft saved
draft discarded
turrican_34 is a new contributor. Be nice, and check out our Code of Conduct.
turrican_34 is a new contributor. Be nice, and check out our Code of Conduct.
turrican_34 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504013%2fselinux-is-preventing-usr-sbin-php-fpm-from-lock-access-on-the-file-cert9-db%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
