Bug 1178210

Summary:	php-fpm can't write into redis' socket
Product:	Red Hat Enterprise Linux 6	Reporter:	Renich Bon Ciric <renich>
Component:	selinux-policy	Assignee:	Simon Sekidde <ssekidde>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	low	Docs Contact:
Priority:	low
Version:	6.6	CC:	angystardust, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde
Target Milestone:	rc
Target Release:	6.7
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	selinux-policy-3.7.19-273.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:
Clones:	1897517 (view as bug list)		Environment:
Last Closed:	2015-07-22 07:10:24 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	1197105

Description Renich Bon Ciric 2015-01-02 21:44:44 UTC

Sorry to publish this here, but I couldn't find where to post a bug for EPEL packages.

Description of problem:
php-fpm can't write/read to/from the redis socket

Version-Release number of selected component (if applicable):
selinux-policy-3.7.19-260.el6_6.1.noarch

How reproducible:
First, configure redis to use a socket at /var/run/redis/redis.sock (where the PID is by default).

then, try to use redis from php:

<?php

ini_set( 'display_errors', 'On' );
$redis = new Redis();

$redis->pconnect( '/var/run/redis/redis.sock' );

echo 'sending ping... ';
echo $redis->ping() . "\n";

echo 'setting name ... ' . "\n";
$redis->set( 'Name', 'Renich Bon Ciric' );

echo 'getting name. The name is: ';
echo $redis->get( 'Name' ) . "\n";

?>


Actual results:
[root@web1 public]# ausearch -i -sv no -ts recent 
----
type=SYSCALL msg=audit(01/02/2015 15:33:08.834:23071) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffffc01ce60 a2=0x1b a3=0x1f3d1a0 items=0 ppid=21091 pid=21103 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=3433 comm=php-fpm exe=/usr/sbin/php-fpm subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(01/02/2015 15:33:08.834:23071) : avc:  denied  { write } for  pid=21103 comm=php-fpm name=redis.sock dev=dm-2 ino=1701412 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 
----
type=SYSCALL msg=audit(01/02/2015 15:33:08.833:23070) : arch=x86_64 syscall=connect success=no exit=-13(Permission denied) a0=0x5 a1=0x7ffffc01abc0 a2=0x1b a3=0x1f43840 items=0 ppid=21091 pid=21103 auid=root uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=3433 comm=php-fpm exe=/usr/sbin/php-fpm subj=unconfined_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(01/02/2015 15:33:08.833:23070) : avc:  denied  { write } for  pid=21103 comm=php-fpm name=redis.sock dev=dm-2 ino=1701412 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file 
[root@web1 public]# ausearch -i -sv no -ts recent | audit2allow


#============= httpd_t ==============
allow httpd_t var_run_t:sock_file write;


Expected results:
It should write and read the var.

Comment 1 Daniel Walsh 2015-01-03 16:44:05 UTC

Looks like we would need to back port redis policy to make this work.

For now you could add a custom policy module.

Comment 2 Renich Bon Ciric 2015-01-04 19:49:45 UTC

(In reply to Daniel Walsh from comment #1)
> Looks like we would need to back port redis policy to make this work.
> 
> For now you could add a custom policy module.

Ok, I will.

Comment 7 Miroslav Grepl 2015-04-14 09:05:59 UTC

commit cf60c35e07d2e430a4061ab30c6c40a49bfb5704
Author: Miroslav Grepl <mgrepl>
Date:   Tue Apr 14 11:05:24 2015 +0200

    Allow redis to create /var/run/redis/redis.sock.

Comment 15 Miroslav Grepl 2015-06-03 11:20:51 UTC

commit a8cc60eeb13cf7f9a636261a26455afbaeacd75e
Author: Miroslav Grepl <mgrepl>
Date:   Wed Jun 3 13:20:00 2015 +0200

    Allow php-fpm write access to /var/run/redis/redis.sock

Comment 17 errata-xmlrpc 2015-07-22 07:10:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1375.html

Comment 18 Angelo Lisco 2019-10-04 20:13:21 UTC

It seems that the patch was lost somewhere around the git repository...

On a rhel7 it was working fine because of the following policy rule:

sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write ; echo $?
# Found 1 semantic av rules:
   allow domain pidfile : sock_file { write getattr append open } ; 
0

but I don't have any output querying the selinux target policy on a rhel8 with the following command:
# sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write ; echo $?
0

Do I have to open a new bugzilla report?

Comment 19 Lukas Vrabec 2019-10-07 07:04:16 UTC

Hi Angelo, 

This is RHEL-6 bugzilla, could you please open ticket for RHEL-8 with your issue? 

Thanks,
Lukas.