0

Please explain the origin of the following error and why "anon_hugepage" is missing from my file listing.

SELinux is preventing /usr/sbin/php-fpm from write access on the file /anon_hugepage (deleted).

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/anon_hugepage (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do \# /sbin/restorecon -v /anon_hugepage (deleted)

*****  Plugin catchall (1.49 confidence) suggests   **************************

If you believe that php-fpm should be allowed write access on the anon_hugepage (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do allow this access for now by executing:

\# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol

\# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:hugetlbfs_t:s0
Target Objects                /anon_hugepage (deleted) [ file ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          localhost
Source RPM Packages           php70w-fpm-7.0.11-1.w7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-60.el7_2.9.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     instance-1
Platform                      Linux instance-1 3.10.0-327.36.1.el7.x86_64 #1 SMP
                              Sun Sep 18 13:04:29 UTC 2016 x86_64 x86_64
Alert Count                   1
First Seen                    2016-10-07 08:46:26 UTC
Last Seen                     2016-10-07 08:46:26 UTC
Local ID                      1711a7c8-1f3d-4dda-be96-69f7553186d4

Raw Audit Messages
type=AVC msg=audit(1475829986.9:445): avc:  denied  { write } for  pid=1360 comm="php-fpm" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=18206 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file


type=SYSCALL msg=audit(1475829986.9:445): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=8000000 a2=3 a3=40021 items=0 ppid=1 pid=1360 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,hugetlbfs_t,file,write

****

I've attempted the following with no success:

touch /anon_hugepage
semanage fcontext -a -t etc_runtime_t /anon_hugepage
restorecon -v /anon_hugepage
user9517
  • 115,471
  • 20
  • 215
  • 297
Ryan Prentiss
  • 291
  • 5
  • 11
  • Disable selinux and try again – gloom700 Oct 07 '16 at 10:36
  • I want to resolve using SELinux. – Ryan Prentiss Oct 07 '16 at 10:47
  • By setting SELinux to permissive mode it allows you to gather all related messages so that you can deal with them in one go. – user9517 Oct 07 '16 at 11:00
  • You are actively and intentionally trying to use hugepages in PHP right? – Matthew Ife Oct 07 '16 at 11:10
  • @MatthewIfe Not to my knowledge. I am simply attempting to launch a LEMP server. I have never dealt with hugepages and before today had never heard of them. – Ryan Prentiss Oct 07 '16 at 11:14
  • Why, then, are you trying to create this file in the first place? No such file should exist, as far as I know. – Michael Hampton Oct 08 '16 at 00:19
  • @MichaelHampton I resorted to attempting to make the file because of the error being thrown in SELinux. The situation is causing PHP-FPM to freeze up due to setroubleshoot eating up all the memory alerting me to the error. In addition to the above mentioned installs, OPCache and Redis are also install. Server will be hosting primarily WordPress sites. – Ryan Prentiss Oct 08 '16 at 01:04
  • 1
    I would try to find out why your nonstandard build of PHP is trying to create this file to begin with. It's not normal behavior. – Michael Hampton Oct 08 '16 at 01:14
  • @MichaelHampton I will begin researching in that direction. I'm using the following build... https://webtatic.com/packages/php70/ – Ryan Prentiss Oct 08 '16 at 01:56

1 Answers1

0

It seems to me the file anon_hugepage is missing as it shows "deleted". Also the message is stating to change your runtime and perform:

/sbin/restorecon -v /anon_hugepage

After php should be able to access the file with SELinux enabled. Please also make sure the file is there and has the correct rights and ownership.

techraf
  • 4,243
  • 8
  • 29
  • 44
Influenist
  • 1
  • I believe I've already attempted this. Check the bottom of my post and let me know if I did something incorrectly. I've tested it with both the ownership being root, and as the web group. – Ryan Prentiss Oct 07 '16 at 11:17