Description of problem: SELinux is preventing /usr/sbin/php-fpm from 'name_connect' accesses on the tcp_socket . ***** Plugin catchall_boolean (24.7 confidence) suggests ******************* If you want to allow httpd to can connect ldap Then you must tell SELinux about this by enabling the 'httpd_can_connect_ldap' boolean. You can read 'None' man page for more details. Do setsebool -P httpd_can_connect_ldap 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ******************* If you want to allow nis to enabled Then you must tell SELinux about this by enabling the 'nis_enabled' boolean. You can read 'None' man page for more details. Do setsebool -P nis_enabled 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ******************* If you want to allow authlogin to nsswitch use ldap Then you must tell SELinux about this by enabling the 'authlogin_nsswitch_use_ldap' boolean. You can read 'None' man page for more details. Do setsebool -P authlogin_nsswitch_use_ldap 1 ***** Plugin catchall_boolean (24.7 confidence) suggests ******************* If you want to allow httpd to can network connect Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean. You can read 'None' man page for more details. Do setsebool -P httpd_can_network_connect 1 ***** Plugin catchall (3.53 confidence) suggests *************************** If you believe that php-fpm should be allowed name_connect access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:ldap_port_t:s0 Target Objects [ tcp_socket ] Source php-fpm Source Path /usr/sbin/php-fpm Port 389 Host (removed) Source RPM Packages php-fpm-5.5.0-1.fc19.i686 Target RPM Packages Policy RPM selinux-policy-3.12.1-57.fc19.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.9.8-300.fc19.i686.PAE #1 SMP Thu Jun 27 19:29:30 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-06-30 15:20:46 YEKT Last Seen 2013-06-30 15:20:46 YEKT Local ID 8ae3b18d-119f-4b95-ae01-bae2a734c191 Raw Audit Messages type=AVC msg=audit(1372584046.522:515): avc: denied { name_connect } for pid=4812 comm="php-fpm" dest=389 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldap_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1372584046.522:515): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bfec0670 a2=b58ee000 a3=8 items=0 ppid=4808 pid=4812 auid=4294967295 uid=990 gid=988 euid=990 suid=990 fsuid=990 egid=988 sgid=988 fsgid=988 ses=4294967295 tty=(none) comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) Hash: php-fpm,httpd_t,ldap_port_t,tcp_socket,name_connect Additional info: reporter: libreport-2.1.5 hashmarkername: setroubleshoot kernel: 3.9.8-300.fc19.i686.PAE type: libreport Potential duplicate: bug 887614
If you want to allow apache to connect to the ldap port, then you need to use one of the booleans suggested in the alert message above.