I am running CentOS 7 with Nginx/PHP-FPM. To debug a couple of slow WordPress and CodeIgniter requests I activated PHP-FPMs slow log feature in www-pool.conf
:
slowlog = /var/log/php-fpm/www-slow.log
request_slowlog_timeout = 4s
The slow requests are getting logged but the meaningful stack trace are not printed to www-slow.log
. The file is being generated but empty and the default error.log
is showing entries like this:
[12-Nov-2017 16:50:26] WARNING: [pool www] child 21497, script '/usr/share/nginx/www/wordpress/index.php' (request: "GET /index.php") executing too slow (4.161874 sec), logging
[12-Nov-2017 16:50:26] ERROR: failed to ptrace(ATTACH) child 21491: Operation not permitted (1)
[12-Nov-2017 16:50:26] WARNING: [pool www] child 21491, script '/usr/share/nginx/www/wordpress/index.php' (request: "GET /index.php") executing too slow (4.590854 sec), logging
[12-Nov-2017 16:50:26] ERROR: failed to ptrace(ATTACH) child 21490: Operation not permitted (1)
[12-Nov-2017 16:50:26] WARNING: [pool www] child 21490, script '/usr/share/nginx/www/wordpress/index.php' (request: "GET /index.php") executing too slow (4.620915 sec), logging
[12-Nov-2017 18:03:52] ERROR: failed to ptrace(ATTACH) child 21523: Operation not permitted (1)
[12-Nov-2017 18:03:52] WARNING: [pool www] child 21523, script '/usr/share/nginx/www/wordpress/wp-admin/index.php' (request: "GET /wp-admin/index.php") executing too slow (4.366918 sec), logging
The log files/folder are owned by php-fpm user under which php-fpm is running.
Any ideas?
Best Answer
This is being caused by SELinux, which blocks the web server (and PHP, which runs under the web server's context) from attaching to processes to trace their execution.
This was reported to Red Hat some time ago, but they declined to do anything about it.
You can check your
/var/log/audit/audit.log
and you'll find this denial logged in an AVC similar to:To resolve the problem for your own server, you can create a local SELinux policy module with
audit2allow
. Feed the AVC toaudit2allow
by standard input, something like this:You run the command and then paste in the AVC log entry into the terminal and press Ctrl-D. You'll get a generated policy and instructions:
So, run that command, and you're done.