Bug 1223989

Summary: SELinux is not allowing PHP-FPM's slowlog timeout capability
Product: Red Hat Enterprise Linux 6 Reporter: Renich Bon Ciric <renich>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Milos Malik <mmalik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: dkutalek, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, renich, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1253259 (view as bug list) Environment:
Last Closed: 2015-08-28 15:06:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renich Bon Ciric 2015-05-21 21:48:36 UTC 
Please, review the downstream bug: http://bugs.centos.org/view.php?id=8741

If you enable:

slowlog = /var/log/php-fpm/www-slow.log
request_slowlog_timeout = 5s

On /etc/php-fpm.d/www.conf, SELinux will start complaining:

ausearch -i -sv no -ts recent | grep ptrace
type=SYSCALL msg=audit(05/21/2015 21:37:21.028:14259) : arch=x86_64 syscall=ptrace success=no exit=-1(Operation not permitted) a0=PTRACE_ATTACH a1=0x33ea a2=0x0 a3=0x0 items=0 ppid=1 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/21/2015 21:37:21.028:14259) : avc: denied { sys_ptrace } for pid=1385 comm=php-fpm capability=sys_ptrace scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
Comment 2 Milos Malik 2015-05-22 09:34:12 UTC 
Which version of selinux-policy do you have on your machine?
Comment 3 Renich Bon Ciric 2015-05-22 09:51:57 UTC 
(In reply to Milos Malik from comment #2)
> Which version of selinux-policy do you have on your machine?

# rpm -q selinux-policy
selinux-policy-3.7.19-260.el6_6.3.noarch
Comment 5 Renich Bon Ciric 2015-06-01 20:53:16 UTC 
do you need info from me or dkutalek?
Comment 6 Milos Malik 2015-06-02 07:28:08 UTC 
The latest policy (3.7.19-271.el6) contains a dontaudit rule which prevents the AVC from appearing:

# sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --allow -C

# sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --dontaudit -C
Found 1 semantic av rules:
DT dontaudit httpd_t httpd_t : capability sys_ptrace ; [ httpd_run_stickshift ]

#

But the rule is active only if the httpd_run_stickshift boolean is enabled.

Unfortunately, I don't see the AVC even if the boolean is disabled. When I start the php-fpm service (configuration from comment#0 was applied before) the AVC does not appear. How long do you keep the php-fpm running until you see any AVCs? Do you run a stress test on php-fpm ?
Comment 7 Renich Bon Ciric 2015-06-03 11:11:08 UTC 
(In reply to Milos Malik from comment #6)
> The latest policy (3.7.19-271.el6) contains a dontaudit rule which prevents
> the AVC from appearing:
> 
> # sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --allow -C
> 
> # sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --dontaudit -C
> Found 1 semantic av rules:
> DT dontaudit httpd_t httpd_t : capability sys_ptrace ; [
> httpd_run_stickshift ]
> 
> #
> 
> But the rule is active only if the httpd_run_stickshift boolean is enabled.

I will enable the boolean to see if it helps.

> Unfortunately, I don't see the AVC even if the boolean is disabled. When I
> start the php-fpm service (configuration from comment#0 was applied before)
> the AVC does not appear. How long do you keep the php-fpm running until you
> see any AVCs? Do you run a stress test on php-fpm ?

As soon as I get a request, I see the AVC.
Comment 9 Miroslav Grepl 2015-08-28 15:06:47 UTC 
From my point of view, this is not a bug. We have a boolean for this and it won't be allowed by default.