Bug 1670386

Summary: AVC denied httpd_execmem for php-fpm when php-opcache is installed
Product: Red Hat Enterprise Linux 8 Reporter: David Jež <djez>
Component: php-7.2-moduleAssignee: Remi Collet <rcollet>
Status: NEW --- QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: unspecified Docs Contact: Lenka Špačková <lkuprova>
Priority: unspecified    
Version: 8.0CC: bnater, jorton, mmalik, pasik, rcollet
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.`php-fpm` causes SELinux AVC denials when `php-opcache` is installed with PHP 7.2 When the `php-opcache` package is installed, the FastCGI Process Manager (`php-fpm`) causes SELinux AVC denials. To work around this problem, change the default configuration in the `/etc/php.d/10-opcache.ini` file to the following: ---- opcache.huge_code_pages=0 ---- Note that this problem affects only the `php:7.2` stream, not the `php:7.3` one.
Story Points: ---
Clone Of:
: 1725104 (view as bug list) Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Jež 2019-01-29 13:18:52 UTC
Description of problem:
When package 'php-opcache' is installed then php-fpm cause selinux AVC.

Version-Release number of selected component (if applicable):
php-fpm-7.2.11-1.module+el8+2561+1aca3413

How reproducible:
Always

Steps to Reproduce:
1. yum install php php-fpm php-opcache
2. service php-fpm restart
3. ausearch -m AVC

Actual results:
----
time->Tue Jan 29 08:16:41 2019
type=PROCTITLE msg=audit(1548767801.906:957): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
type=SYSCALL msg=audit(1548767801.906:957): arch=c000003e syscall=9 success=no exit=-13 a0=55cc52600000 a1=200000 a2=7 a3=40032 items=0 ppid=1 pid=10585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1548767801.906:957): avc:  denied  { execmem } for  pid=10585 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
----
time->Tue Jan 29 08:16:41 2019
type=PROCTITLE msg=audit(1548767801.906:958): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
type=SYSCALL msg=audit(1548767801.906:958): arch=c000003e syscall=9 success=no exit=-13 a0=55cc52600000 a1=200000 a2=7 a3=32 items=0 ppid=1 pid=10585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1548767801.906:958): avc:  denied  { execmem } for  pid=10585 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0


type=AVC msg=audit(1545048868.378:1504): avc:  denied  { execmem } for  pid=17365 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Expected results:
no AVC.


Additional info:
No AVC if php-opcache is not installed.

Comment 1 Milos Malik 2019-01-29 15:37:42 UTC
The execmem permission for httpd_t domain will not be allowed by default, because it's dangerous from SELinux point-of-view:

 * https://danwalsh.livejournal.com/73611.html
 * https://akkadia.org/drepper/selinux-mem.html

----
type=PROCTITLE msg=audit(01/29/2019 10:27:11.504:308) : proctitle=/usr/sbin/php-fpm --nodaemonize 
type=SYSCALL msg=audit(01/29/2019 10:27:11.504:308) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x55b45f400000 a1=0x200000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_HUGETLB items=0 ppid=1 pid=6342 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(01/29/2019 10:27:11.504:308) : avc:  denied  { execmem } for  pid=6342 comm=php-fpm scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----

If your use-case really needs such a permission, you have to enable the httpd_execmem boolean:

# setsebool -P httpd_execmem on

Comment 2 Remi Collet 2019-06-28 12:24:38 UTC
Need to test with opcache.huge_code_pages=0

Comment 3 Remi Collet 2019-06-28 12:41:32 UTC
2 possible fix:

1/ runtime

- change default provided configuration to opcache.huge_code_pages=0

(whichh may allow user to enable it....)

2/ buldtime

- add --disable-huge-code-pages build option
- clean configuration file

In both case, a configuration change is needed