Suspicious SELinux Audit Log Entries PHP-FPM Write Denied - How to investigate?

I found a few /var/log/audit/audit.log entries which have me a little bit concerned. SEAlert explains them as such:

SELinux is preventing /usr/sbin/php-fpm from write access on the directory wwwuserhome.

Raw Audit Messages
type=AVC msg=audit(1439921831.7:6232): avc:  denied  { write } for  pid=10665 comm="php-fpm" name="wwwuserhome" dev="xvda1" ino=25877059 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir


type=AVC msg=audit(1439921831.7:6232): avc:  denied  { add_name } for  pid=10665 comm="php-fpm" name=".pki" scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir


type=AVC msg=audit(1439921831.7:6232): avc:  denied  { create } for  pid=10665 comm="php-fpm" name=".pki" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir


type=SYSCALL msg=audit(1439921831.7:6232): arch=x86_64 syscall=mkdir success=yes exit=0 a0=7f512952d040 a1=1f0 a2=ffffffffffffff60 a3=7fffc7beff00 items=0 ppid=12783 pid=10665 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,user_home_dir_t,dir,write

And also:

SELinux is preventing /usr/sbin/php-fpm from write access on the directory .pki.

Raw Audit Messages
type=AVC msg=audit(1439921831.7:6233): avc:  denied  { write } for  pid=10665 comm="php-fpm" name=".pki" dev="xvda1" ino=25167629 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir


type=AVC msg=audit(1439921831.7:6233): avc:  denied  { add_name } for  pid=10665 comm="php-fpm" name="nssdb" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_dir_t:s0 tclass=dir


type=SYSCALL msg=audit(1439921831.7:6233): arch=x86_64 syscall=mkdir success=yes exit=0 a0=7f512952d040 a1=1f0 a2=ffffffffffffff60 a3=7fffc7beff00 items=0 ppid=12783 pid=10665 auid=4294967295 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,user_home_dir_t,dir,write

What I make of it is:

1. Gladly SELinux blocks this, it's doing its job!
2. Some PHP script is attempting to write to the web user's home folder. I'm not aware of an actual script or plugin that should be doing this. Certainly nothing related to PKI or NSSDB. There are no SSL/TLS Certs on this server.
3. Assuming with reasonable confidence (as it's all built this year, kept up to date, pretty well secured) that this is not a script I installed for this very purpose, I can only assume that some script is being exploited to try and manipulate my system. I certainly don't use PHP to make directories myself. However, Nginx and PHP-FPM logs searches for events around those audit log timestamps yields nothing weird.
4. A grep on .pki or wwwuserhome in the docroot and deeper doesn't yield any hardcoded PHP that attempts this so it may be fed in through URL parameters or otherwise hidden from me through encoding.

So the question is, what can I do to monitor this more closely and ultimately, find the files or even the functions that are being manipulated. And of course, the perpetrator's IP.

Is there a way to tell PHP to log more verbosely when certain functions are being executed? Especially system calls and file handler actions.

Any further tips?