php-fpm and apparmor
got error when access php-fpm backend
curl http://192.168.0.65/index.php
Access denied./var/log/nginx/error.log
2023/09/10 16:55:16 [error] 8597#8597: *35 FastCGI sent in stderr: "Unable to open primary script: /srv/www/htdocs/6001/index.php (Permission denied)" while reading response header from upstream, client: 192.168.0.57, server: , request: "GET /index.php HTTP/1.0", upstream: "fastcgi://127.0.0.1:9000", host: "192.168.0.65"check file permission from user nginx
su - nginx -s /bin/bash
nginx@zei0mucu:~> cat /srv/www/htdocs/index.php
<?php
echo $_SERVER['REMOTE_ADDR']
?>all is ok, but
/var/log/audit/audit.log
type=AVC msg=audit(1694354225.344:6659): apparmor="DENIED" operation="open" profile="php-fpm" name="/srv/www/htdocs/6001/index.php" pid=32709 comm="php-fpm" requested_mask="r" denied_mask="r" fsuid=484 ouid=484edit apparmor profile
vim /etc/apparmor.d/php-fpmadd rule for /srv/www/htdocs (store of php files)
# the main log file
/var/log/php*-fpm.log rw,
# web server files
/srv/www/htdocs/** r,
# we need to be able to create all sockets
@{run}/php{,-fpm}/php*-fpm.pid rw,
@{run}/php*-fpm.pid rw,
@{run}/php{,-fpm}/php*-fpm.sock rwlk,restart apparmor
systemctl restart apparmor