Sysadmin: “[warn-phpd] mmap cache can’t open file … ” mystery solved

Yesterday I was asked by one of our old customers to help solving very interesting problem – he put some php files outside of apache DocumentRoot on his server and the apache could not access the files, producing very interesting lines into apache default error_log

To my surprise I’ve never seen such an error message in my life, and I have spent 19 years dealing with this. I was pretty sure I could identify the source of the problem just by looking at it. The customer claimed that he spend 3 hours googling for the solution without finding one and even getting any better understanding of what the problem is.
The system was basic CentOS 5.10 with everything installed from the official repositories. Config file /home/conf.php permissions and ownership allowed read access to everybody so there was no obvious reason why it would throw this strange error. Even the source of the message was a mystery – what is this “phpd” and why I’ve never heard of it? Doesn’t look like some process or even file on the system. PHP was used as regular mod_php so there were no surprises there. Nor there was any exotic or popular PHP opcode caching modules installed.
There is only one more usual suspect – SELinux, while very useful in high security environments in my opinion is is also quite useless and even harmful in high load webhosting situation. And while well known for granularity and flexibility of the configuration is also very well known for difficulty of troubleshooting.
It quite easy to check from terminal ssh connection

SELinux is turned on. But does it really preventing access to the file in question? Let’s check the log

In order to verify our findings we can try to disable SELinux

After restart apache works properly – there is no problems with reading /home/conf.php and strange error messages gone.
How we are still running SELinux code even though it doesn’t ask it still examining every system event against SELinux configuration and writes sizable logs.
In order to disable SELinux once and for good we will have to modify 2 files and reboot (unfortunately there is no other way).

  1. In /etc/sysconfig/selinux we need to change parameter SELINUX, so the file will look like this
  2. In GRUB config /boot/grub/menu.lst we will have to add option “selinux=0” to the kernel line to it will be turned off from the very boot time.
    For example

    Now after the reboot SElinux will be off your back until you decide that you really require it for your server operation.

  1. very excellent 🙂

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">