After upgrading php on my SELinux enabled server, the restart gave the following output: --- * Stopping PHP FastCGI Process Manager ... [ ok ] * Starting PHP FastCGI Process Manager ... [15-Dec-2012 11:27:53] ERROR: failed to read from pipe: Permission denied (13) * start-stop-daemon: failed to start `/usr/lib/php5.4/bin/php-fpm' [ ok ] --- Inside the phpfpm log, there is: --- [15-Dec-2012 11:23:39] NOTICE: fpm is running, pid 28052 [15-Dec-2012 11:23:39] ERROR: failed to read from pipe: Permission denied (13) [15-Dec-2012 11:23:39] NOTICE: ready to handle connections --- In the avc log: --- avc: denied { write } for pid=27859 comm="php-fpm" path="pipe:[3360395]" dev="pipefs" ino=3360395 scontext=system_u:system_r:phpfpm_t tcontext=system_u:system_r:phpfpm_t tclass=fifo_file avc: denied { read } for pid=27858 comm="php-fpm" path="pipe:[3360395]" dev="pipefs" ino=3360395 scontext=system_u:system_r:phpfpm_t tcontext=system_u:system_r:phpfpm_t tclass=fifo_file --- In fact the daemon is up and running. From the php source code (sapi/fpm/fpm/fpm_unix.c), I think that the error comes from the following code: --- ... pid_t pid = fork(); switch (pid) { case -1 : /* error */ zlog(ZLOG_SYSERROR, "failed to daemonize"); return -1; case 0 : /* children */ close(fpm_globals.send_config_pipe[0]); /*close the read side of the pipe*/ break; default : /* parent */ close(fpm_globals.send_config_pipe[1]); /*close the write side of the pipe*/ [... (checks) ...] ret = read(fpm_globals.send_config_pipe[0], &readval, sizeof(readval)); if (ret == -1) { zlog(ZLOG_SYSERROR, "failed to read from pipe"); exit(FPM_EXIT_SOFTWARE); } if (ret == 0) { zlog(ZLOG_ERROR, "no data have been read from pipe"); exit(FPM_EXIT_SOFTWARE); } else { if (readval == 1) { zlog(ZLOG_DEBUG, "I received a valid acknoledge from the master process, I can exit without error"); fpm_cleanups_run(FPM_CLEANUP_PARENT_EXIT); exit(FPM_EXIT_OK); } else { zlog(ZLOG_DEBUG, "The master process returned an error !"); exit(FPM_EXIT_SOFTWARE); } } exit(FPM_EXIT_SOFTWARE); ... --- If I understand the code well, it's just a check on a fork. The parent is supposed to call exit in all the situations, thus it only changes the log, return code and a call to 'fpm_cleanups_run'. I added the following rule: allow phpfpm_t self:fifo_file rw_fifo_file_perms; As a result, no more errors: * Stopping PHP FastCGI Process Manager ... [ ok ] * Starting PHP FastCGI Process Manager ... [ ok ] phpfpm log: [15-Dec-2012 12:04:45] NOTICE: fpm is running, pid 30443 [15-Dec-2012 12:04:45] NOTICE: ready to handle connections
Thanks; fixed in repo, will be in r9
r9 in hardened-dev overlay
r9 in main repo, ~arch'ed
Forgot to mention... stabilized a while ago ;)