Php-fpm whitelist need 2 files
Following this merge request and related bug https://bugzilla.opensuse.org/show_bug.cgi?id=1186267 !755 (merged)
The edited file is not the only one needed for the fix, it should also be this line
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/php-fpm#L19
Which should became
/etc/php{,5,7}/** r,
We also need to whitelist where the actual php file are stored... Something like
# htdocs
/srv/www/** rwlk,
But I understand not everyone will store the file there, and I think a better mechanism to tell the user to whitelist such folder could be needed ?
(tested now on my machine and is now working)
Another one is for the session save path, the default one is
session.save_path = "/tmp"
Which is failing as the configured one is supposed to be (in apparmor)
# php session mmap socket
/var/lib/php{,5,7,8}/session_mm_* rwlk,
# file based session handler
/var/lib/php{,5,7,8}/sess_* rwlk,
/var/lib/php{,5,7,8}/sessions/* rwlk,
I do think that having already a sandboxed /tmp (due to the systemd launch file) should be ok to leave /tmp writable... But I understand also this can be a very weak point to, so maybe I will just counter report to suse bugzilla to change the default session path...
As a side note, I think it should be just put in
https://gitlab.com/apparmor/apparmor/-/blob/master/profiles/apparmor.d/abstractions/php
Instead of
/etc/php{,5,7,8}/**/ r,
/etc/php{,5,7,8}/**.ini r,
Also
/etc/php{,5,7,8}/**.conf r,
And erase in the one above apparmor.d/php-fpm ?
As a side note apparmor must be active to be reloaded... But if is stopped why is blocking the access ??? )