• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Subdomain with FastCGI:PHP sessions not work-chmod 777 /var/lib/php/session not help

bluik

Basic Pleskian
Cross-posting.. I initially thought this problem was caused by Migrating sites from 9.x to 10.x, but no.
I CANNOT BELIEVE such a STUPID bug has not been detected.

---------------------------------------------------------------
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Parallels Plesk Panel, 10.3.1, RHEL6.1, x86-64

PROBLEM DESCRIPTION AND STEPS TO REPRODUCE
When FastCGI is turned on, subdomains can't use PHP sessions because they cannot write to /var/lib/php/session.
Steps:
1- Create domain
2- Create subdomain
3- Create a simple PHP file that uses sessions under the subdomain:
<?
session_start();
?>

ACTUAL RESULT
[Mon Aug 01 07:16:27 2011] [warn] [client 192.0.2.1 mod_fcgid: stderr: PHP Warning: session_start(): open(/var/lib/php/session/sess_ko4dsk6kjrav9f28m1pbuo8um6, O_RDWR) failed: Permission denied (13) in /var/www/vhosts/example.com/subdomains/test/httpdocs/sess.php on line 2
[Mon Aug 01 07:16:27 2011] [warn] [client 192.0.2.1] mod_fcgid: stderr: PHP Warning: Unknown: open(/var/lib/php/session/sess_ko4dsk6kjrav9f28m1pbuo8um6, O_RDWR) failed: Permission denied (13) in Unknown on line 0
[Mon Aug 01 07:16:27 2011] [warn] [client 192.0.2.1] mod_fcgid: stderr: PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php/session) in Unknown on line 0
EXPECTED RESULT
Session to work properly. Some limitation prevents accessing /var/lib/php/session, as chmod 777 does not help.

ANY ADDITIONAL INFORMATION
Workaround:
Insert this to the _httpd.include file for the subdomain vhost config:
SetEnv PP_CUSTOM_PHP_INI /var/www/vhosts/tst/etc/php.ini

<IfModule mod_fcgid.c>
FcgidInitialEnv PP_CUSTOM_PHP_INI /var/www/vhosts/tst/etc/php.ini
</IfModule>

BUT with the above workaround there are more errors because the custom php ini refers to directories specific for the main site not the subdomain.
--------------------------------------------------------------
 
Last edited:
Solved

OK, I did some digging and the culprit was in fact SELinux.

In case anyone else hits this problem:

To make it work, first fix permissions on the directory and then relabel it:
chown apache:psacln /var/lib/php/session/
chmod 770 /var/lib/php/session/
chcon system_u:eek:bject_r:httpd_sys_content_t:s0 /var/lib/php/session/
Seems working after this, there are still some avc messages at audit.log but they seem related to site not the system.


Sorry for the noise. I still think there should be a way for Plesk to do this automatically; for example having a second session directory for FCGI sites with correct owner/group,permissions & SELinux label.
 
Last edited:
Found this through google, whoever is reading this probably did too!

works great, thanks bluik

Just a small correction, the first line should start with chown, and not chmod
 
Thanks, edited to correct it, I really hope it is useful for other people.
Now, I have had another problem with SELinux labels on subdomains for a long time requiring manual fixing with chcon after every time subdomain is created.. Perhaps with your encouragement I will make a post about that.
 
Same issue with CentOS 5, Plesk 10.4.4. SELinux policy with Plesk is still not good.

The above "chcon" fix does not survive a filesystem relabel by the way. The solution would be to modify the file context specification or to make a policy. I ended up making a quick&dirty policy, which might be too wide open:

module plesk-phpsession 1.6;

require {
type httpd_sys_script_t;
type httpd_var_run_t;
class dir { search write add_name remove_name };
class file { create read write lock unlink getattr };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_var_run_t:dir { search write add_name remove_name };
allow httpd_sys_script_t httpd_var_run_t:file { create read write lock unlink getattr };
Save it to a file say php.te, compile & install:
checkmodule -Mm php.te -o php.mod
semodule_package -o php.pp -m php.mod
semodule -i php.pp

For CentOS/RHEL 6 add " open" after the word "getattr" in the two lines above.

It would be great to add a new file context, something like below but it lacks access from unconfined domain and is wrong in so many ways (do not use it it does not work in enforcing mode). I lost interest because so many other problems with Plesk & SELinux but might revisit & update this thread later.
php.te

module plesk-phpsession 1.8;

type httpd_var_lib_phpsession_t;

require {
type httpd_sys_script_t;
type httpd_t;
class dir { search write add_name remove_name };
class file { create read write lock unlink getattr };
}

allow httpd_sys_script_t httpd_var_lib_phpsession_t:dir { search write add_name remove_name };
allow httpd_sys_script_t httpd_var_lib_phpsession_t:file { create read write lock unlink getattr };

allow httpd_t httpd_var_lib_phpsession_t:dir { search write add_name remove_name };
allow httpd_t httpd_var_lib_phpsession_t:file { create read write lock unlink getattr };

php.fc

/var/lib/php/session(/.*)? system_u:eek:bject_r:httpd_var_lib_phpsession_t:s0
 
Last edited:
bluik's solution worked for us too. Although as the bluik's last post suggests this looks like it's a temporary fix and will need to be re-run regularly.
 
Back
Top