Bug 836503

Summary: RFE: add policy for php-fpm and alternative webservers
Product: [Fedora] Fedora Reporter: Jan Vcelak <jvcelak>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-29 10:02:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Vcelak 2012-06-29 09:58:28 UTC 
Description of problem:

When PHP sites are served by alternative web server (nginx, lighttpd, cherokee, etc.) with php-fpm (PHP FastCGI Process Manager), SELinux does not provide as much security as with Apache webserver.

Nginx is becoming very popular recently [1], it is a pity we do not have a policy for it. And the only way to restrict the PHP is to run it trough mod_php in Apache as a backend for nginx proxy. (Which sucks.)

[1] http://news.netcraft.com/archives/2012/06/06/june-2012-web-server-survey.html


Version-Release number of selected component (if applicable):
any

How reproducible:


Steps to Reproduce:
1. install nginx and php-fpm, change php-fpm user from apache to nginx
2. systemctl start php-fpm.service nginx.service
3. ps axZ | grep -E '(nginx|php)'
  
Actual results:

system_u:system_r:initrc_t:s0    5334 ?        Ss     0:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:initrc_t:s0    5335 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5336 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5337 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5338 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5339 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5513 ?        Ss     0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:initrc_t:s0    5514 ?        S      0:00 nginx: worker process


Expected results:
ningx and php-fpm running is some more confined domain


Additional info:
Comment 1 Jan Vcelak 2012-06-29 10:02:17 UTC 
Submitted twice by mistake (due to bugzilla proxy error).

*** This bug has been marked as a duplicate of bug 836502 ***
Comment 2 Dominick Grift 2012-06-29 10:19:24 UTC 
I have suggested we run nginx in httpd_t just like lightttp, apache as well as cherokee a while ago.

However selinux policy upstream maintainer rejected it:

http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html

I still believe this is the way to go.

You can apply these changes manually by using semanage fcontext to tell selinux how the various nginx locations should be labeled and apply these specs with restorecon -R -v ...
Comment 3 Dominick Grift 2012-06-29 10:38:28 UTC 
There is also a policy submitted upstream for php-fpm here:

http://oss.tresys.com/pipermail/refpolicy/2012-June/005176.html

I personally have my reservations about this policy however i do not have enough information and knowledge of php-fpm to make a good and solid argument against it.

My suggestion is to also run php-fpm in httpd_t since i *suspect* that php-fpm needs much of the same access that webservers do.

I might be wrong.