Bug 2258637

Summary: [selinux] systemd cannot flush the privatetmp cache used by php-fpm
Product: [Fedora] Fedora Reporter: felix.bouynot
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 39CC: dwalsh, lvrabec, mmalik, nknazeko, omosnacek, pkoncity, vmojzis, zpytela
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-39.4-1.fc39 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-01-30 04:22:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description felix.bouynot 2024-01-16 16:56:27 UTC 
The default php-fpm service is using PrivateTmp (maybe it would do the same without it): 

```
# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.

[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target

[Service]
Type=notify
ExecStart=/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
RuntimeDirectory=php-fpm
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
```






The default tmp folder for php-fpm have the `httpd_tmp_t` type:

```
# nsenter -t 2795763 -m ls -lahZ /tmp
*total 0
drwxrwxrwt. 3 root     root     system_u:object_r:tmp_t:s0        60 Jan 16 16:33 .
dr-xr-xr-x. 1 root     root     system_u:object_r:root_t:s0      138 Sep 13 04:36 ..
drwxr-xr-x. 2 librenms librenms system_u:object_r:httpd_tmp_t:s0  60 Jan 16 16:25 HTML
```
```
# nsenter -t 2795763 -m ls -lahZ /tmp/HTML
total 96K
drwxr-xr-x. 2 librenms librenms system_u:object_r:httpd_tmp_t:s0  60 Jan 16 16:25 .
drwxrwxrwt. 3 root     root     system_u:object_r:tmp_t:s0        60 Jan 16 16:33 ..
-rw-r--r--. 1 librenms librenms system_u:object_r:httpd_tmp_t:s0 94K Jan 16 16:25 4.15.0,f474c0a322b208e83d22d3aef33ecb184bc71d31,1.ser
```






When I'm trying to restart php-fpm with `systemctl restart php-fpm.service`, I'll get this error:
```
# audit2allow -a
#============= init_t ==============

allow init_t httpd_tmp_t:dir { remove_name rmdir }
```






Note that in the default namespace there is no folder using this type: `find / -xdev -type d -context '*httpd_tmp_t*' -printf '%-50Z%p\n'` prints no result.

Reproducible: Always

Steps to Reproduce:
1. dnf install -y php-fpm php-opcache
2. systemctl enable --now php-fpm
3. use php to write in its tmp folder
4. systemctl restart php-fpm
5. audit2allow -a
Actual Results:  
# audit2allow -a
#============= init_t ==============

allow init_t httpd_tmp_t:dir { remove_name rmdir }
#

Expected Results:  
# audit2allow -a
#
Comment 1 Zdenek Pytela 2024-01-16 17:29:43 UTC 
Hello,

Can you please share unfiltered AVC denials?

Can you use a local module to see if the following rule is sufficient?


f39# cat local_phpfpm_privatetmp.cil 
(typeattributeset systemd_private_tmp_type httpd_tmp_t)
f39# semodule -i local_phpfpm_privatetmp.cil
<reproduce>
f39# semodule -r local_phpfpm_privatetmp
Comment 2 felix.bouynot 2024-01-17 10:34:16 UTC 
Hi,

Here are the AVC, is this enough for you or do you need another output?
```
# grep httpd_tmp_t /var/log/audit/audit.log
type=AVC msg=audit(1705416946.390:978789): avc:  denied  { remove_name } for  pid=2719019 comm="(sd-rmrf)" name="4.15.0,f474c0a322b208e83d22d3aef33ecb184bc71d31,1.ser" dev="tmpfs" ino=621 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1705416946.390:978790): avc:  denied  { rmdir } for  pid=2719019 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=620 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
```






I can reproduce the same issue on my laptop, so here are the tests with your module, it looks like your module is enough: 
```
$ systemctl show --property=MainPID --value php-fpm.service
7484
$ sudo nsenter -t 7484 -m mkdir -p /tmp/HTML/test
$ sudo nsenter -t 7484 -m chcon system_u:object_r:httpd_tmp_t:s0 /tmp/HTML
$ sudo nsenter -t 7484 -m ls -lahZ /tmp
total 0
drwxrwxrwt. 3 root root system_u:object_r:tmp_t:s0        60 17 janv. 11:20 .
dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0      192 24 nov.  14:41 ..
drwxr-xr-x. 3 root root system_u:object_r:httpd_tmp_t:s0  60 17 janv. 11:20 HTML
$ sudo systemctl restart php-fpm
$ sudo grep httpd_tmp_t /var/log/audit/audit.log
type=AVC msg=audit(1705486932.024:438): avc:  denied  { remove_name } for  pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1705486932.024:439): avc:  denied  { rmdir } for  pid=8044 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
$ sudo audit2allow -a


#============= init_t ==============
allow init_t httpd_tmp_t:dir { remove_name rmdir };
$ sudo semodule -i local_phpfpm_privatetmp.cil
$ sudo nsenter -t 7484 -m ls -lahZ /tmp
nsenter: cannot open /proc/7484/ns/mnt: Aucun fichier ou dossier de ce type
$ systemctl show --property=MainPID --value php-fpm.service
8046
$ sudo nsenter -t 8046 -m ls -lahZ /tmp
total 0
drwxrwxrwt. 2 root root system_u:object_r:tmp_t:s0   40 17 janv. 11:22 .
dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0 192 24 nov.  14:41 ..
$ sudo nsenter -t 8046 -m mkdir -p /tmp/HTML/test
$ sudo nsenter -t 8046 -m chcon system_u:object_r:httpd_tmp_t:s0 /tmp/HTML
$ sudo systemctl restart php-fpm
$ sudo grep httpd_tmp_t /var/log/audit/audit.log
type=AVC msg=audit(1705486932.024:438): avc:  denied  { remove_name } for  pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1705486932.024:439): avc:  denied  { rmdir } for  pid=8044 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
```

Also even if systemd cannot delete the directory, it looks like the namespace is properly deleted (before your module installation).
Comment 3 felix.bouynot 2024-01-17 10:57:13 UTC 
Also, the real use case is a LibreNMS installation.
Comment 4 Zdenek Pytela 2024-01-17 11:29:48 UTC 
No further data needed at the moment. Can you remove your module from policy and use the one I provided instead?
Comment 5 felix.bouynot 2024-01-17 12:21:26 UTC 
Yes that's what I did on my laptop to reproduce the bug and see there was no more avc after I installed your policy.
Comment 6 Zdenek Pytela 2024-01-18 19:56:24 UTC 
Thank you for your cooperation.
Comment 7 Fedora Update System 2024-01-26 23:20:05 UTC 
FEDORA-2024-334b3be641 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641
Comment 8 Fedora Update System 2024-01-27 02:35:19 UTC 
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-334b3be641`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2024-01-30 04:22:13 UTC 
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.