Check if selinux is running:
# getenforce Enforcing
Temporary (until reboot) change selinux into permissive mode (to log selinux audits):
# setenforce Permissive # getenforce Permissive
Run the problematic command (e.g. systemctl start php-fpm)
check the audit logs & create selinux module and load it:
# grep php-fpm /var/log/audit/audit.log | audit2allow -m phpfpm > phpfpmlocal.tmp
You should look in the file phpfpmlocal.tmp to verify that the permissions look OK. Once you've done so, and made any edits that seem reasonable to you, re-run audit2allow again to build the module, and semodule to load it
# grep php-fpm /var/log/audit/audit.log | audit2allow -M phpfpmlocal # semodule -i phpfpmlocal.pp
Test problematic command again
List modules:
# semodule -l
Remove module:
# semodule -r <modulename>