can php fpm sockets be brought back to help with SELinux TCP port issues?

We are slowly working thru configuring VirtualMin on RedHat 7 to work with SELinux in enforcing mode.

One issue that has come up revolves around php-fpm with apache ... as most of you know, fpm can be configured to use either a TCP port or a unix socket. SELinux greatly limits what TCP ports are available by default to apache, while our limited testing seems to indicate using a unix socket is easier to fit into the SELinux environment.

I am requesting that unix sockets be brought back as an option for php-fpm.

I want to help and contribute, but am not sure where to start ... any advice?

Verne

Status: 
Active

Comments

Ilia's picture
Submitted by Ilia on Tue, 03/31/2020 - 06:44

Assigned: Unassigned ยป

Hi,

Thanks for the feedback.

I remember Jamie mentioned that there is no easy way to use sockets.

There should be other ways to make SELinux work. It's pretty flexible.

Socket files caused too many problems, for example when domain ownership changed. They are supported if you change the Apache and FPM configs manually, but Virtualmin isn't going to set them up by default.

sorry I missed your quickly posted comments ....

my issue stemmed from ... SELinux not liking FPM using the particular tcp ports it chooses ... the default ones for RedHat 7 are

semanage port -l | grep ^http_port_t http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000

I think to add 99 more I would do

semanage port --add -t http_port_t -p tcp 9001-9099

and to clean things up if ever needed ... semanage port --delete -t http_port_t -p tcp 9001-9099

.... my thinking being ... NOT to let httpd just talk to all the ports with something like the boolean nis_enabled

and in regards to sockets, I had success with a CONF file with sections like

[vhost92-test] user = vhost92 group = vhost92 listen = /var/run/php-fpm/vhost92.sock listen.owner = vhost92 listen.group = vhost92 listen.mode = 0660

Verne

Hi Jamie,

Could you provide a bit more elaboration on why using sockets over TCP ports was problematic for the Virtualmin team? We are moving to Nginx and PHP-FPM from Apache and FastCGI and I have read all over the place that TCP ports provide more overhead and thus less performance than do the use of sockets for PHP-FPM connections. Are there any plans to switch Virtualmin over to using sockets for PHP-FPM in the future? Have the problems you originally mention been resolved?

One of the problems with socket files was getting permissions correct in a shared hosting environment - they had to be such that Apache could write to the socket, and only the domain's user could read from it. This got really tricky when renaming a user for example.