Service php-fpm does not get user permissions

Question

I have an issue with php-fpm. It is actually the php7 version. I have drupal and it will complain that some directory is not writtable. Only if I start php-fpm as a service like that:

#service php-fpm start

I am using nginx as web server and php-fpm, in port 127.0.0.1:9000. This is my conf in /etc/php-fpm.d/www.conf:

; Start a new pool named 'www'. [www] user = nginx group = nginx listen = 127.0.0.1:9000 

All the documents for web - drupal - belong to nginx:nginx. If I start the service, either

#service php-fpm start

or

#systemctl start php-fpm

It will complain about permissions, even though that ps shows this (ps aux | grep php-fpm):

root 1591 0.0 0.8 528916 31260 ? Ss 07:49 0:00 php-fpm: master process (/etc/php-fpm.conf) nginx 1593 0.0 2.2 567252 79768 ? S 07:49 0:03 php-fpm: pool www nginx 1594 0.0 1.9 565248 72004 ? S 07:49 0:01 php-fpm: pool www nginx 1595 0.0 2.0 567268 73040 ? S 07:49 0:02 php-fpm: pool www nginx 1596 0.0 2.0 573440 75320 ? S 07:49 0:01 php-fpm: pool www nginx 1597 0.0 1.9 568704 71812 ? S 07:49 0:02 php-fpm: pool www nginx 1600 0.0 2.0 572360 74632 ? S 07:50 0:01 php-fpm: pool www nginx 1604 0.0 1.8 565264 68584 ? S 07:53 0:01 php-fpm: pool www 

So it looks like the user was properly set. But it's not working.

Now what I really don't understand is that if I execute this:

#/usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf

Which is the command described in the service (/usr/lib/systemd/system/php-fpm.service) - Then I have no permission issues.

The output of ps aux | grep php-fpm is the same, with nginx being the user.

I am executing everything as root.

How is this possible?

Edit

This has become a SElinux question. I have this in the audit logs:

denied { write } for pid=2755 comm="php-fpm" name="files" dev="xvda1" ino=9167949 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir 

The directory I want php-fpm to write is the one called vanilladrupal

# ls -Z . drwxr-xr-x. root root system_u:object_r:httpd_sys_content_t:s0 html drwxr-xr-x. nginx nginx unconfined_u:object_r:httpd_sys_content_t:s0 vanilladrupal 

The process php-fpm has this context:

 ps Zaux | grep php-fpm system_u:system_r:httpd_t:s0 root 2749 0.0 0.8 528916 31212 ? Ss 03:03 0:00 php-fpm: master process (/etc/php-fpm.conf) system_u:system_r:httpd_t:s0 nginx 2751 0.0 0.5 529548 19456 ? S 03:03 0:00 php-fpm: pool www and the other pool wwww look the same 

The selinux config is this:

SELINUX=enforcing SELINUXTYPE=targeted 

What change should I do?

(here, kind of argues that the way it is set, should have no permission issues)

(I tried to change the context for the directory "vanilla drupal" to look the same as html (I assum that if I had put the dir inside html I wouldn't have any problem), by changing the user. But I just got even more errors (forbidden {execmem}).

Answer 1

You will need to change the SELinux context for all files where Drupal needs to write to httpd_sys_rw_content_t, something like this:

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/drupal/admin/config/media/file-system(/.*)?'

I don't know what are your paths and you need to check in Drupal interface in Configuration -> Media -> Filesystem for more information.