You are not logged in.
- Topics: Active | Unanswered
#1 2026-04-03 20:17:24
- avi9526
- Member
- Registered: 2015-05-15
- Posts: 122
AppArmor blocking NGINX access to PHP-FPM socket even in complain mode
I get error
…
writev() failed (13: Permission denied) while sending request to upstream, client: server: request: "GET / HTTP/1.1", upstream: fastcgi://unix:/run/php-fpm/php-fpm.sock:
…after update.
Nginx and PHP-FPM profiles are in complain mode
This continues until I completely disable AA system wide or for nginx
`aa-disable nginx`
Profiling gives no message about nginx
'aa-logprof -f /var/log/audit/audit.log'
Nginx profile
# Last Modified:
include <tunables/global>
# vim:syntax=apparmor
# AppArmor policy for nginx
# ###AUTHOR###
# ###COPYRIGHT###
# ###COMMENT###
# No template variables specified
profile nginx /usr/bin/nginx flags=(complain) {
include <abstractions/base>
include <abstractions/ssl_certs>
include <abstractions/ssl_keys>
capability net_bind_service,
/etc/host.conf r,
/etc/hosts r,
/etc/nginx/ r,
/etc/nginx/** r,
/etc/nsswitch.conf r,
/etc/resolv.conf r,
/srv/http/ r,
/srv/http/** r,
/usr/share/webapps/ r,
/usr/share/webapps/** r,
/var/lib/letsencrypt/.well-known/acme-challenge/ r,
/var/lib/letsencrypt/.well-known/acme-challenge/** r,
/var/log/nginx/ rw,
/var/log/nginx/** rw,
owner /etc/group r,
owner /etc/passwd r,
owner /etc/ssl/certs/*_https.crt r,
owner /etc/ssl/private/*_https.dh.key r,
owner /etc/ssl/private/*_https.key r,
owner /proc/sys/kernel/random/boot_id r,
owner /run/nginx.pid rw,
owner /run/nginx/nginx.pid rw,
owner /run/systemd/userdb/ r,
owner /var/lib/nginx/** rw,
}Anyone has this problem?
Offline