H Aßdøµ's questions

我已经为 StoneDb（MySQL 修改版本）创建了一个自定义服务{start|stop|restart|reload|force-reload|status}，但是在检查状态时出现此错误：

这显然意味着即使我使用相同的脚本手动管理服务，StoneDb 也不会执行该命令。

[Unit]
Description=StoneDB database server
After=network.target
#StartLimitIntervalSec=90

[Service]
Type=forking
ExecStart=/opt/stonedb57/install/mysql_server
TimeoutSec=300

[Install]
WantedBy=multi-user.target

我在这里缺少什么？

我正在尝试根据此答案检查letsencrypt颁发的证书是否已被吊销：

 openssl ocsp -issuer highschoolhelper.org_fullchain.crt  -cert highschoolhelper.org_fullchain.crt  \
      -text -url http://ocsp.int-x3.letsencrypt.org  -header "HOST" "ocsp.int-x3.letsencrypt.org"

highschoolhelper.org_fullchain.crt 内容：

-----BEGIN CERTIFICATE-----
MIIGezCCBWOgAwIBAgISBIblodC5xtlygKwk1HxrVSNwMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA1MjQwMjAzMjNaFw0y
MDA4MjIwMjAzMjNaMB8xHTAbBgNVBAMTFGhpZ2hzY2hvb2xoZWxwZXIub3JnMIIC
IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoJoYehVRN/qnOOM5phcdlknH
Je8k+TbZjW+drtX7i3zik/se2rR3Gj16da5A4vx6irK+SasdU2ckwcC4GGCa0ILM
gCcwE/rI1km65A5KudSA9tz494olkIxAuwhHXdOHZjBQ9fx211Jol0drqvc2cnS5
Camnx6ibYeGvZqadMC9iIqiZ2WIYr1cJCBeOJrk4f9hZnNSA/nghgyq4ajzKc+R4
nNBy2pl50VYdzV465MIdRKtuJvnoPPtwf0Z605gXwibI8rsA4kUcJj3QS7vcxsfw
W8xgu9lwHm0K5DZiSiBfzxyOMui7BFDSek25kf98e+ZNb/Eqz+JXSEk9udMDbPx8
nVtskoW6HaxL2D/qjHuI7DQnTP7SR/+OA6av6ZKSH+7KLtU7aN2i9itsNJA5AlZC
KGKmuTO+xCuI2Fi4QueacfnGqmC2+/rXtEu1vtuu0zL1W8J2JhR9ocOOC/e5Fjld
hufYVpEyJwSxbjCGSOhVX0DqIgLSucHlJceKNVZBlx8Oh0KNjcjpfvHhKZlJ/SyL
AUYT5tbJ/YMqr4Lr3RHqRZL22H93aFAoyHw2doPS88fwjUn+hYgk9TaEtLLfa8yT
j/C5c7cZf42sq0gyb9xQkpah50Ft9HNEJcs1HrTjVJxDFEFTG99odK//GiFsKlj9
x+3GOufni0GydETRC1UCAwEAAaOCAoQwggKAMA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUYxGSiRqEnPR1Ad6Fj4P/YrlDGZowHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3
pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2Nz
cC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2Vy
dC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA5BgNVHREEMjAwghRoaWdoc2Nob29s
aGVscGVyLm9yZ4IYd3d3LmhpZ2hzY2hvb2xoZWxwZXIub3JnMEwGA1UdIARFMEMw
CAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9j
cHMubGV0c2VuY3J5cHQub3JnMIIBBQYKKwYBBAHWeQIEAgSB9gSB8wDxAHYAXqdz
+d9WwOe1Nkh90EngMnqRmgyEoRIShBh1loFxRVgAAAFyRKKP1gAABAMARzBFAiBj
Vo3hgkLNSJBNdhiymhBkYym5sOaRqWswrQCZeRaX/AIhAJ/CqfyvYvtIudJ3fjaN
+eQFm24CE+MmUql+4Q6vNV7dAHcAB7dcG+V9aP/xsMYdIxXHuuZXfFeUt2ruvGE6
GmnTohwAAAFyRKKP/QAABAMASDBGAiEAlVvbTUpmGlXE6ARMENw3oIAlzoacBlG6
ZgNRinb3SuUCIQCcaqd5cDIKlFY00rQ3A/CiLkRJsyLu7SGRtWd2SbtTyDANBgkq
hkiG9w0BAQsFAAOCAQEAbFJFXt7rhu6cftRhLF+8sC8+Iv8qL0qVAjFfyckz1QpT
mqKMPpi56sLc25HI4BxOlCh7HBbD4qu/G/PFWaihSkzOWqub9PkcgbxaK4TKWJr8
LYWYv+PxmtbTeA9bNeMxPMuL4KraOog6XyI4gxjP0Pa+vONjrDsCBnO5ZuskbkK4
2MqNbVQT4W0Arx51ZP4uaNZYZHPtr0aByn6KF5KPP/TTA+V5T8yKFCzBpHm33g7n
bk3RDQeqpiFdCwXc7mkZRpj+o+SM4WfBXp399mGoGkBjh73n9k4L2PCwY6nt5sgB
NXW14dJwThtD5llBdTlxbg/LlBp9y1gT5Je3F2IB6A==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

但我得到的是这个输出：

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: 631192891A849CF47501DE858F83FF62B943199A
          Serial Number: 0486E5A1D0B9C6D97280AC24D47C6B552370
    Request Extensions:
        OCSP Nonce:
            0410193D65F8B1D045055EE5862101F61D02
Responder Error: unauthorized (6)

我的主要主机 IP 和服务的虚拟主机面临着一种奇怪的行为，基本上我有以下几点：

|- 148.x.x.x            /var/www/html/public_html
|- domain01.com         /var/www/html/domain01.com/public_html
|- domain02.com         /var/www/html/domain02.com/public_html
|- domain03.com         /var/www/html/domain03.com/public_html

问题 01：现在，如果我访问 148.xxx 上的任何页面，我都会得到404http code，如果托管的页面名称相同，domain01.com那么它的内容就会显示出来。

问题 02：如果在其他域中未找到任何页面并且它发生的页面名称相同，domain01则它会被提供。我的 httpd.conf：

ServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
ServerName 148.x.x.x:80

<Directory />
    AllowOverride none
    Require all denied
</Directory>

DocumentRoot "/var/www/html/public_html"

<Directory "/var/www">
    AllowOverride None
    Require all granted
</Directory>

<Directory "/var/www/html/public_html">
    Options All Indexes FollowSymLinks
    AllowOverride All
    Require all granted
</Directory>

<IfModule dir_module>
    DirectoryIndex index.html
</IfModule>

<Files ".ht*">
    Require all denied
</Files>

ErrorLog "logs/error_log"
LogLevel warn

<IfModule log_config_module>
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    <IfModule logio_module>
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    CustomLog "logs/access_log" combined
</IfModule>

<IfModule alias_module>
    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>

<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule mime_module>
    TypesConfig /etc/mime.types
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz
    AddType application/x-httpd-php .php
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
</IfModule>

AddDefaultCharset UTF-8

<IfModule mime_magic_module>
    MIMEMagicFile conf/magic
</IfModule>

EnableSendfile on

<IfModule mod_http2.c>
    Protocols h2 h2c http/1.1
</IfModule>

NameVirtualHost *
IncludeOptional conf.d/*.conf
IncludeOptional conf.d/domains/*.conf

虚拟主机配置：

<VirtualHost *:80>
    ServerName domain01.com
    ServerAlias www.domain01.com
    ServerAdmin webmaster@domain01
    DocumentRoot /var/www/html/domain01/public_html

    <Directory /var/www/html/domain01/public_html>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog /var/log/httpd/domain01-error.log
    CustomLog /var/log/httpd/domain01-access.log combined
</VirtualHost>

其他域共享相同的配置。

错误日志：

[Sun May 10 04:35:40.554754 2020] [suexec:notice] [pid 20023] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun May 10 04:35:40.579226 2020] [lbmethod_heartbeat:notice] [pid 20023] AH02282: No slotmem from mod_heartmonitor
[Sun May 10 04:35:40.579272 2020] [http2:warn] [pid 20023] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Sun May 10 04:35:40.579277 2020] [http2:warn] [pid 20023] AH02951: mod_ssl does not seem to be enabled
[Sun May 10 04:35:40.608931 2020] [mpm_prefork:notice] [pid 20023] AH00163: Apache/2.4.41 () PHP/7.3.16 configured -- resuming normal operations
[Sun May 10 04:35:40.608967 2020] [core:notice] [pid 20023] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sun May 10 04:54:07.699619 2020] [mpm_prefork:notice] [pid 20023] AH00170: caught SIGWINCH, shutting down gracefully
[Sun May 10 04:54:08.784661 2020] [suexec:notice] [pid 20172] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun May 10 04:54:08.815681 2020] [lbmethod_heartbeat:notice] [pid 20172] AH02282: No slotmem from mod_heartmonitor
[Sun May 10 04:54:08.815727 2020] [http2:warn] [pid 20172] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Sun May 10 04:54:08.815732 2020] [http2:warn] [pid 20172] AH02951: mod_ssl does not seem to be enabled
[Sun May 10 04:54:08.845184 2020] [mpm_prefork:notice] [pid 20172] AH00163: Apache/2.4.41 () PHP/7.3.16 configured -- resuming normal operations
[Sun May 10 04:54:08.845215 2020] [core:notice] [pid 20172] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sun May 10 04:55:20.189266 2020] [mpm_prefork:notice] [pid 20172] AH00170: caught SIGWINCH, shutting down gracefully
[Sun May 10 04:55:21.262210 2020] [suexec:notice] [pid 20236] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun May 10 04:55:21.289998 2020] [lbmethod_heartbeat:notice] [pid 20236] AH02282: No slotmem from mod_heartmonitor
[Sun May 10 04:55:21.290044 2020] [http2:warn] [pid 20236] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Sun May 10 04:55:21.290048 2020] [http2:warn] [pid 20236] AH02951: mod_ssl does not seem to be enabled
[Sun May 10 04:55:21.314344 2020] [mpm_prefork:notice] [pid 20236] AH00163: Apache/2.4.41 () PHP/7.3.16 configured -- resuming normal operations
[Sun May 10 04:55:21.314377 2020] [core:notice] [pid 20236] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sun May 10 04:56:16.858055 2020] [mpm_prefork:notice] [pid 20236] AH00170: caught SIGWINCH, shutting down gracefully
[Sun May 10 04:56:17.942478 2020] [suexec:notice] [pid 20300] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun May 10 04:56:17.967937 2020] [lbmethod_heartbeat:notice] [pid 20300] AH02282: No slotmem from mod_heartmonitor
[Sun May 10 04:56:17.967989 2020] [http2:warn] [pid 20300] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Sun May 10 04:56:17.967994 2020] [http2:warn] [pid 20300] AH02951: mod_ssl does not seem to be enabled
[Sun May 10 04:56:17.995419 2020] [mpm_prefork:notice] [pid 20300] AH00163: Apache/2.4.41 () PHP/7.3.16 configured -- resuming normal operations
[Sun May 10 04:56:17.995465 2020] [core:notice] [pid 20300] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Sun May 10 09:52:00.857620 2020] [mpm_prefork:notice] [pid 20300] AH00170: caught SIGWINCH, shutting down gracefully
[Sun May 10 09:52:18.179419 2020] [suexec:notice] [pid 21600] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Sun May 10 09:52:18.208499 2020] [lbmethod_heartbeat:notice] [pid 21600] AH02282: No slotmem from mod_heartmonitor
[Sun May 10 09:52:18.208546 2020] [http2:warn] [pid 21600] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
[Sun May 10 09:52:18.208550 2020] [http2:warn] [pid 21600] AH02951: mod_ssl does not seem to be enabled
[Sun May 10 09:52:18.240064 2020] [mpm_prefork:notice] [pid 21600] AH00163: Apache/2.4.41 () PHP/7.3.16 configured -- resuming normal operations
[Sun May 10 09:52:18.240096 2020] [core:notice] [pid 21600] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

安装 nginx 和 php-fpm 使下面的错误即使在设置了所有必需的权限后也不会出现，就像这里以前的答案中建议的那样：

[error] 2443#0: *2 connect() to unix:/run/php-fpm/php-fpm.pid failed (111: Connection refused) while connecting to upstream

这是我所有的配置： /etc/php-fpm.d/www.conf

[www]
user = nginx
group = nginx
listen = /run/php-fpm/php-fpm.pid
listen.owner = nginx
listen.group = nginx
listen.mode = 0660
listen.allowed_clients = 127.0.0.1

pm = dynamic
pm.max_children = 50
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 35

slowlog = /var/log/php-fpm/www-slow.log

php_admin_value[error_log] = /var/log/php-fpm/www-error.log
php_admin_flag[log_errors] = on
php_value[session.save_handler] = files
php_value[session.save_path]    = /var/lib/php/session
php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache

/etc/php-fpm.conf

include=/etc/php-fpm.d/*.conf
[global]
pid = /run/php-fpm/php-fpm.pid
error_log = /var/log/php-fpm/error.log
daemonize = yes
events.mechanism = epoll

/etc/nginx/nginx.conf

user nginx nginx;
worker_processes 1;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
    worker_connections 1024;
}
http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
    upstream php {
        #server unix:/var/run/php-fpm/php-fpm.pid;
        server 127.0.0.1:9000;
    }
    server_names_hash_bucket_size 64;
    # Virtual hosts
    include /etc/nginx/sites/*.conf;
}

/etc/nginx/sites/*.conf

server {
        listen 80 ;
        listen [::]:80;
        server_name elkhobara.com www.elkhobara.com;
        root /var/hosts/elkhobara;
        index index.html index.htm index.php;
        location / {
                try_files $uri $uri/ =404;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                root   html;
        }
        location ~ \.php$ {
               try_files $uri =404;
               fastcgi_pass unix:/run/php-fpm/php-fpm.pid;
               #fastcgi_pass 127.0.0.1:9000;
               fastcgi_index index.php;
               include /etc/nginx/fastcgi_params;
               fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
        }
}

请注意，如果我将套接字更改为 127.0.0.1:9000 那么它将完美运行。

更新：

SELinux 状态：

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      28

/var/log/audit/audit.log

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/nginx from getattr access on the file /var/hosts/elkhobara/index.php.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow nginx to have getattr access on the index.php file
Then you need to change the label on /var/hosts/elkhobara/index.php
Do
# semanage fcontext -a -t FILE_TYPE '/var/hosts/elkhobara/index.php'
where FILE_TYPE is one of the following: --Striped text--.
Then execute:
restorecon -v '/var/hosts/elkhobara/index.php'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that nginx should be allowed getattr access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                /var/hosts/elkhobara/index.php [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           nginx-1.10.2-1.el7.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ip-172-31-39-125.us-west-2.compute.internal
Platform                      Linux ip-172-31-39-125.us-west-2.compute.internal
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   23
First Seen                    2017-01-01 16:46:48 EST
Last Seen                     2017-01-02 10:32:42 EST
Local ID                      0ff17cb3-2f01-4acf-8510-ab289c98d946

Raw Audit Messages
type=AVC msg=audit(1483371162.342:339): avc:  denied  { getattr } for  pid=2443 comm="nginx" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1483371162.342:339): arch=x86_64 syscall=stat success=yes exit=0 a0=7f9f09cef2d4 a1=7ffcd9347290 a2=7ffcd9347290 a3=7f9f09db3b30 items=0 ppid=2442 pid=2443 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=nginx exe=/usr/sbin/nginx subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,var_t,file,getattr

--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/nginx from read access on the file index.php.

*****  Plugin catchall_labels (83.8 confidence) suggests   *******************

If you want to allow nginx to have read access on the index.php file
Then you need to change the label on index.php
Do
# semanage fcontext -a -t FILE_TYPE 'index.php'
where FILE_TYPE is one of the following: --Striped long text for future readability.
Then execute:
restorecon -v 'index.php'


*****  Plugin catchall (17.1 confidence) suggests   **************************

If you believe that nginx should be allowed read access on the index.php file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'nginx' --raw | audit2allow -M my-nginx
# semodule -i my-nginx.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                unconfined_u:object_r:var_t:s0
Target Objects                index.php [ file ]
Source                        nginx
Source Path                   /usr/sbin/nginx
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           php-fpm-7.1.0-1.el7.remi.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-102.el7_3.7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ip-172-31-39-125.us-west-2.compute.internal
Platform                      Linux ip-172-31-39-125.us-west-2.compute.internal
                              3.10.0-514.2.2.el7.x86_64 #1 SMP Wed Nov 16
                              13:15:13 EST 2016 x86_64 x86_64
Alert Count                   2
First Seen                    2017-01-01 17:10:48 EST
Last Seen                     2017-01-02 06:22:16 EST
Local ID                      ce7a65cb-6b95-4fc4-b31b-19efccf56ab1

Raw Audit Messages
type=AVC msg=audit(1483356136.314:121): avc:  denied  { read } for  pid=9421 comm="php-fpm" name="index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=AVC msg=audit(1483356136.314:121): avc:  denied  { open } for  pid=9421 comm="php-fpm" path="/var/hosts/elkhobara/index.php" dev="xvda2" ino=25207236 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_t:s0 tclass=file


type=SYSCALL msg=audit(1483356136.314:121): arch=x86_64 syscall=open success=yes exit=EIO a0=7ffc64561010 a1=0 a2=1b6 a3=2 items=0 ppid=9419 pid=9421 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: nginx,httpd_t,var_t,file,read

--------------------------------------------------------------------------------