Nginx reports: FastCGI sent in stderr: "Unable to open primary script"

Hi, I recently successfully (kinda) set up Nextcloud on OpenSUSE, however I couldn’t get Apache to serve the ocs-provider, .well-known, etc things right, so I switched to Nginx.

I have Nginx and php running as the wwwrun user, serving nextcloud out of /srv/www/htdocs/nextcloud which I chown -R'd to wwwrun. When I run sudo -s wwwrun cat /srv/www/htdocs/nextcloud/index.php it works fine! But when I start up all the server components and try to access the URL it just says “Access denied” with the following error in Nginx’s log:

2022/07/16 14:39:12 [error] 11915#11915: *19 FastCGI sent in stderr: "Unable to open primary script: /srv/www/htdocs/nextcloud/index.php (Permission denied)" while reading response header from upstreamcode here

I’m using the default nginx.conf from the docs with just my server name and SSL cert file locations changed. The error message I get when hitting the URL is correctly served via HTTPS which is fun at least :smiley:

This is my php-fpm.conf:

[global]
include=/etc/php7/fpm/php-fpm.d/*.conf

And, the only file in php-fpm.d, www.conf:

[www]
user = wwwrun
group = www
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3

Any ideas on where I should look to solve this? In short:

  • php reports via fastcgi that it cannot access my index.php due to permission denied
  • I can independently verify that the user php runs as can, in fact, read the file

I found the problem. My configuration is fine. AppArmor was preventing the php-fpm process from reading files it needed to.
Interestingly, disabling the apparmor service did not change that. However, running aa-complain php-fpm as root solved it.