Service php-fpm does not get user permissions

Question

I have an issue with php-fpm. It is actually the php7 version. I have drupal and it will complain that some directory is not writtable. Only if I start php-fpm as a service like that:

#service php-fpm start

I am using nginx as web server and php-fpm, in port 127.0.0.1:9000. This is my conf in /etc/php-fpm.d/www.conf:

; Start a new pool named 'www'.
[www]
user = nginx
group = nginx
listen = 127.0.0.1:9000

All the documents for web - drupal - belong to nginx:nginx. If I start the service, either

#service php-fpm start

or

#systemctl start php-fpm

It will complain about permissions, even though that ps shows this (ps aux | grep php-fpm):

root      1591  0.0  0.8 528916 31260 ?        Ss   07:49   0:00 php-fpm: master process (/etc/php-fpm.conf)
nginx     1593  0.0  2.2 567252 79768 ?        S    07:49   0:03 php-fpm: pool www
nginx     1594  0.0  1.9 565248 72004 ?        S    07:49   0:01 php-fpm: pool www
nginx     1595  0.0  2.0 567268 73040 ?        S    07:49   0:02 php-fpm: pool www
nginx     1596  0.0  2.0 573440 75320 ?        S    07:49   0:01 php-fpm: pool www
nginx     1597  0.0  1.9 568704 71812 ?        S    07:49   0:02 php-fpm: pool www
nginx     1600  0.0  2.0 572360 74632 ?        S    07:50   0:01 php-fpm: pool www
nginx     1604  0.0  1.8 565264 68584 ?        S    07:53   0:01 php-fpm: pool www

So it looks like the user was properly set. But it's not working.

Now what I really don't understand is that if I execute this:

#/usr/sbin/php-fpm --nodaemonize --fpm-config /etc/php-fpm.conf

Which is the command described in the service (/usr/lib/systemd/system/php-fpm.service) - Then I have no permission issues.

The output of ps aux | grep php-fpm is the same, with nginx being the user.

I am executing everything as root.

How is this possible?

Edit

This has become a SElinux question. I have this in the audit logs:

denied  { write } for  pid=2755 comm="php-fpm" name="files" dev="xvda1" ino=9167949 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

The directory I want php-fpm to write is the one called vanilladrupal

# ls -Z .
drwxr-xr-x. root   root   system_u:object_r:httpd_sys_content_t:s0 html
drwxr-xr-x. nginx  nginx  unconfined_u:object_r:httpd_sys_content_t:s0 vanilladrupal

The process php-fpm has this context:

 ps Zaux | grep php-fpm
system_u:system_r:httpd_t:s0    root      2749  0.0  0.8 528916 31212 ?        Ss   03:03   0:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:httpd_t:s0    nginx     2751  0.0  0.5 529548 19456 ?        S    03:03   0:00 php-fpm: pool www
and the other pool wwww look the same

The selinux config is this:

SELINUX=enforcing
SELINUXTYPE=targeted

What change should I do?

(here, kind of argues that the way it is set, should have no permission issues)

(I tried to change the context for the directory "vanilla drupal" to look the same as html (I assum that if I had put the dir inside html I wouldn't have any problem), by changing the user. But I just got even more errors (forbidden {execmem}).

Answer 1

You will need to change the SELinux context for all files where Drupal needs to write to httpd_sys_rw_content_t, something like this:

semanage fcontext -a -t httpd_sys_rw_content_t '/usr/share/nginx/html/drupal/admin/config/media/file-system(/.*)?'

I don't know what are your paths and you need to check in Drupal interface in Configuration -> Media -> Filesystem for more information.