|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71532 Child terminates when SELinux denies access to library
Submitted: 2016-02-05 10:17 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: david at davidsteinsland dot net Assigned:
Status: Open Package: FPM related
PHP Version: 5.6.18 OS: CentOS 7 64-bit
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: david at davidsteinsland dot net
New email:
PHP Version: OS:


 [2016-02-05 10:17 UTC] david at davidsteinsland dot net
When I was setting up a PHP extension I compiled it by providing an absolute path to the library it needed. After installing, I copied the library to /usr/lib64.

The directory in which I compiled the extension, was /root/.
All seemed fine, running php -m showed the extension loaded.

However, php-fpm filled the log with:
[05-Feb-2016 10:57:05] NOTICE: Terminating ...
[05-Feb-2016 10:57:05] ALERT: oops, unknown child (16001) exited with code 0. Please open a bug report (
[05-Feb-2016 10:57:05] NOTICE: exiting, bye-bye!
[05-Feb-2016 10:57:05] NOTICE: fpm is running, pid 16137
[05-Feb-2016 10:57:05] NOTICE: ready to handle connections
[05-Feb-2016 10:57:05] NOTICE: systemd monitor interval set to 10000ms

When viewing the audit log, I noticed that PHP was trying to load the library (that the extension needed), from /root/:

type=AVC msg=audit(1454666387.325:13883): avc:  denied  { read } for  pid=16285 comm="php-fpm" name="" dev="dm-0" ino=17751008 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Note the "admin_home_t" security context of the target.

I recompiled the extension, but this time I provided the absolute path to the library as /usr/lib64/

Not a bug per sè, but it seems that php-fpm doesn't handles denial of access that SELinux causes. The log output doesn't tell anything about SELinux, only that the child terminated.

Expected result:
Library should be loaded from /usr/lib64/ in the first place.
Log should be more clear.

Actual result:
Library tried loaded from /root/.
Log not clear about this.


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Sep 28 15:03:36 2021 UTC