My current configuration:
GCE f1-micro (1 vCPU, 0.6GB) Haswell, CentOS 7.2, NGINX 1.10.2, PHP 7.0.12
- Static pages serve without issue.
- phpinfo() page servers without issue.
- WordPress setup page overloads CPU causing me to reset the server.
[error] 29111#0: *43 FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: failed to open stream: Permission denied in Unknown on line 0
Unable to open primary script: /var/www/mysite.com/public/index.php (Permission denied)" while reading response header from upstream, client: XX.XXX.XXX.XXX, server: _, request: "GET / HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm/php-fpm.sock:", host: "XXX.XXX.XXX.XXX"
NGINX *.conf file location directives
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi.conf;
}
location ~ ^/(status|ping)$ {
access_log off;
include /etc/nginx/fastcgi.conf;
fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
}
NGINX
user = rocky
PHP-FPM
user = rocky
group = rocky
listen.owner = rocky
listen.group = rocky
listen.mode = 0660
Public permissions
/var/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 www
/var/www/
drwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 mydomain
/var/www/mydomain/
drwxr-xr-x. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 public
/var/www/mydomain/public
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 index.html
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 index.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 info.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 license.txt
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 readme.html
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-activate.php
drwxr-xr-x. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-admin
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-blog-header.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-comments-post.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-config-sample.php
drwxr-xr-x. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-content
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-cron.php
drwxr-xr-x. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-includes
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-links-opml.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-load.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-login.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-mail.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-settings.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-signup.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 wp-trackback.php
-rw-r--r--. rocky rocky unconfined_u:object_r:httpd_sys_rw_content_t:s0 xmlrpc.php
Audit Log
type=SYSCALL msg=audit(1480104445.879:461): arch=c000003e syscall=9 success=no exit=-13 a0=0 a1=10000 a2=7 a3=22 items=0 ppid=1270 pid=1275 auid=4294967295 uid=1000 gid=1001 euid=1000 suid=1000 fsuid=1000 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1480104445.879:461): avc: denied { execmem } for pid=1275 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
