Bug 1875138

Summary: php-fpm can't write into redis' socket (Fedora)
Product: [Fedora] Fedora Reporter: Felix Schwarz <fschwarz>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 32CC: dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.14.5-44.fc32 selinux-policy-3.14.5-45.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-11-25 01:42:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Felix Schwarz 2020-09-02 22:17:41 UTC 
This is basically the same as bug 1178210 but for Fedora:

# sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write
(no output)

type=AVC msg=audit(1599084877.724:25272): avc:  denied  { write } for  pid=53901 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=1119585 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=0
Comment 1 Zdenek Pytela 2020-09-03 13:15:41 UTC 
Porting the patch:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/331

It required some polishing, but content is the same.
Comment 2 Felix Schwarz 2020-09-03 14:25:10 UTC 
Thank you :-)

Will this change also hit F32 at some point via "selinux-policy-targeted" or do I need to install an extra package for that?
Comment 3 Zdenek Pytela 2020-09-03 14:47:38 UTC 
It will be a part of the next F32 build, too.
Comment 4 Fedora Update System 2020-10-02 07:03:52 UTC 
FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0
Comment 5 Fedora Update System 2020-10-03 02:09:09 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 6 Felix Schwarz 2020-10-04 15:36:10 UTC 
somehow the update does not fix the problem for me:

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.14.5-44.fc32.noarch

type=AVC msg=audit(1601824904.270:201): avc:  denied  { write } for  pid=1125 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=23973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1601824904.270:202): avc:  denied  { connectto } for  pid=1125 comm="php-fpm" path="/run/redis-nc/redis-nc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:redis_t:s0 tclass=unix_stream_socket permissive=1

I don't know enough about all the macros used in the selinux policy definitions but is there a way for me to debug this further?
Comment 7 Fedora Update System 2020-10-05 17:32:45 UTC 
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Felix Schwarz 2020-10-06 08:17:54 UTC 
as I mentioned in comment #6 the update does not fix the problem for me. Any pointers in how to debug this further?
Comment 9 Zdenek Pytela 2020-10-07 09:12:16 UTC 
Hi,

I managed to find a glitch in the original 2015 commit - not sure if something changed since then or if it was a typo even that time: redis_t vs redisd_t. The other permission is then a result of not accepting the whole macro.

Thank you for pointing to the problem; I don't think there is another way how to debug but verifying using sesearch like

# sesearch -A -s httpd_t -t redis_t -c unix_stream_socket -p connectto
allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True
# sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write
<>

https://github.com/fedora-selinux/selinux-policy-contrib/pull/338
Comment 10 Felix Schwarz 2020-10-07 09:18:54 UTC 
ah good catch - I should have spotted that myself. Thank you very much for your quick response - your SElinux work (+ fellow Red Hatters) really makes SElinux usable in Fedora.
Comment 11 Fedora Update System 2020-11-09 18:46:13 UTC 
FEDORA-2020-77b49aa207 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207
Comment 12 Fedora Update System 2020-11-10 02:20:40 UTC 
FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-77b49aa207`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 13 Felix Schwarz 2020-11-10 22:35:12 UTC 
I can confirm that the latest update fixes the problem for me. Thank you very much.
Comment 14 Fedora Update System 2020-11-25 01:42:29 UTC 
FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.