php-fpm fails to monitor PHP scripts, printing "Operation not permitted" message
Issue
-
On systems executing a HTTP server and
php-fpm
,php-fpm
fails to monitor PHP scripts and prints the following messages in its log file (e.g./var/opt/rh/rh-php73/log/php-fpm/error.log
)ERROR: failed to ptrace(ATTACH) child ZZZ: Operation not permitted (1)
-
The following AVC can be seen (example with RHEL7 where
php-fpm
is delivered through Software Collection Library)type=AVC msg=audit(...): avc: denied { sys_ptrace } for pid=XXX comm="php-fpm" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0 type=SYSCALL msg=audit(... syscall=101 success=no exit=-1 a0=10 a1=ZZZ a2=0 a3=0 items=0 ppid=1 pid=XXX ... comm="php-fpm" exe="/opt/rh/rh-php73/root/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
Environment
-
Red Hat Enterprise Linux 7 (RHEL7)
- rh-php73-php-fpm (part of Software Collection Library)
- Web servers
-
Red Hat Enterprise Linux 8 (RHEL8)
- php-fpm
- Web servers
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.