Topic: php-fpm slowlog vs selinux
I hope this is the right place for a bug report.
slowlog option of php-fpm uses prace to log a trace dump of the script; this is not allowed by the selinux policy.
Tested on php-fpm-7.3.8-1.el7.remi.x86_64, nginx-1.17.3-1.el7.ngx.x86_64, CentOS Linux release 7.6.1810 (Core)
I solved the issue with a custom selinux module:
require {
type ht tpd_t;
class process ptrace;
class capability sys_ptrace;
}
#============= httpd_t ==============
allow ht tpd_t self:process ptrace;
allow ht tpd_t self:capability sys_ptrace;
(I had to add whitespaces in "ht tpd_t" because the forum says "Too more links in message. Allowed 1 links. Reduce number of links and post it again.")
Can you, please, add this to next packages?