PHP not writing to error_log

[verdon]

I recently switched from Apache to LiteSpeed. Since (though I'm not 100% sure of the timing) I don't think php is able to write to users' error_log

I'm also seeing a lot of entries like this in my kernel log

[976574.594142] type=1400 audit(1562012939.794:1171779): avc: denied { append } for pid=11758 comm="lsphp" name="error_log" dev=sda5 in ...: 1 Time(s)


FYI... What started me down this rabbit hole is trying to figure out why the Wordpress plugin 'WP Fail2Ban' is no longer logging events to /var/log/messages. On one server the php handler is LiteSpeed and the other apache/php-fpm - In case anyone has any insight to that.

 

[cPanelLauren]

I believe litespeed uses their own error log: litespeed doesn't use apache error log?

 

[verdon]

I believe litespeed uses their own error log: litespeed doesn't use apache error log?

Thanks. That was an older article, but it did point me to places to look. The default LiteSpeed setup does use /var/log/apache2/error_log and it is a configurable value. There is activity on that file.

I'm still not sure what the entries in my kernel log mean, like this...

[976574.594142] type=1400 audit(1562012939.794:1171779): avc: denied { append } for pid=11758 comm="lsphp" name="error_log" dev=sda5 in ...: 1 Time(s)

 

[cPanelLauren]

What's the output of the following?

sestatus

That sounds a lot like an SELinux related error. cPanel does not support SELinux this is noted in the installation instructions here: - Installation Guide - System Requirements - Version 68 Documentation - cPanel Documentation

Disable SELinux
If your server runs an operating system from a source other than the cPanel & WHM installer, you must disable SELinux to make your system compatible with cPanel & WHM.

 

[verdon]

Thanks @cPanelLauren ,

I hadn't really considered that. This server was provisioned as a cPanel server by my data centre, and I know SELinuxe doesn't play nice with cPanel. It is there, but is set to permissive.

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

FYI... I did a search in /home/*/public_html/* for files named error_log less than 2 days old, and there were a few, so at least some accounts are writing them. Still confused by all the entries in my nightly logwatch such as the one above though.

 

[cPanelLauren]

If you disable selinux do you still get the error when lsphp is attempting to write to the apache log? Instructions on disabling it are located in the link I provided.

 

[verdon]

If you disable selinux do you still get the error when lsphp is attempting to write to the apache log? Instructions on disabling it are located in the link I provided.

I'll try a controlled test on it this afternoon. To my understanding though, SELinux set to permissive should be doing nothing anyways, but I'm not 100% sure on that.

Ps. Actually, I can't reboot until tonight... will test tomorrow.

 

[cPanelLauren]

Technically it's not being enforced but those AVC messages are logged:

5.4. Permanent Changes in SELinux States and Modes - Red Hat Customer Portal

When SELinux is running in permissive mode, SELinux policy is not enforced. The system remains operational and SELinux does not deny any operations but only logs AVC messages, which can be then used for troubleshooting, debugging, and SELinux policy improvements.

So, in theory, you should have errors being written to the apache error logs and those AVC messages right now.