Bug 887710

Summary: SELinux is preventing /usr/sbin/php-fpm from 'name_connect' accesses on the tcp_socket .
Product: [Fedora] Fedora Reporter: Mikhail <mikhail.v.gavrilov>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 18CC: dominick.grift, dwalsh, mgrepl, mikhail.v.gavrilov
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Unspecified   
Whiteboard: abrt_hash:6b40485f5678dad81fa4426591ab7752a0aba8f26c1099a1dd4e4a1638a6c201
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-17 11:11:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
www.conf none

Description Mikhail 2012-12-17 04:15:16 UTC 
Description of problem:
Just open page below in google-chrome!!


http://example.com/test.php
SELinux is preventing /usr/sbin/php-fpm from 'name_connect' accesses on the tcp_socket .

*****  Plugin connect_ports (99.5 confidence) suggests  **********************

If you want to allow /usr/sbin/php-fpm to connect to network port 7020
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 7020
    where PORT_TYPE is one of the following: dns_port_t, ocsp_port_t, kerberos_port_t, http_port_t, ocsp_port_t, kerberos_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that php-fpm should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          7020
Host                          (removed)
Source RPM Packages           php-fpm-5.4.9-1.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-62.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.6.10-5.fc18.i686.PAE #1 SMP Fri
                              Dec 14 17:25:56 UTC 2012 i686 i686
Alert Count                   3
First Seen                    2012-12-17 10:11:58 YEKT
Last Seen                     2012-12-17 10:13:24 YEKT
Local ID                      a558b89f-95cb-4729-8831-78712ac563e1

Raw Audit Messages
type=AVC msg=audit(1355717604.189:1635): avc:  denied  { name_connect } for  pid=7357 comm="php-fpm" dest=7020 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1355717604.189:1635): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bfb0d0b0 a2=83f0000 a3=6 items=0 ppid=7353 pid=7357 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,unreserved_port_t,tcp_socket,name_connect

audit2allow

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;

audit2allow -R

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.10-5.fc18.i686.PAE
type:           libreport
Comment 1 Mikhail 2012-12-17 04:30:07 UTC 
I am really don't know why Web page just contained "#!/usr/bin/php" string occurs this SELinux alert.
Comment 2 Mikhail 2012-12-17 04:30:26 UTC 
Also with Firefox.
Comment 3 Miroslav Grepl 2012-12-17 08:12:37 UTC 
Are you using NIS? Does everything work?
Comment 4 Mikhail 2012-12-17 08:15:29 UTC 
Sorry, what is NIS?
Comment 5 Miroslav Grepl 2012-12-17 08:46:58 UTC 
Is tcp/7020 port defined in the php-fpm configuration?
Comment 6 Mikhail 2012-12-17 08:51:55 UTC 
Created attachment 664727 [details]
www.conf
Comment 7 Mikhail 2012-12-17 10:20:17 UTC 
Ohh very interesting situation:

1. example.com -> resolve host as 127.0.0.1
2. I have at localhost test.php with follow content:


#!/usr/bin/php
<?php
/**
 * Create or append log file in log calogue
 * @param string $fname file name log file
 * @param string $key name of key
 * @param string $value
 */
function writelog($fname, $key, $value = NULL) {
	global $program_dir;
	if(empty($_SESSION['user']['login'])) $user = $GLOBALS['clientip']; else $user = $_SESSION['user']['login'];
	if(($handler = fopen($user.'-'.$fname, "a")) !== false) {
		$datetime = strtotime("now");
		$logMsg = gmdate("r", $datetime)." ".$user." ".$key;
		if(isset($value)) $logMsg .= "=".print_r($value,true);
		$logMsg .= "\n";
		fputs($handler, $logMsg);
		fclose($handler);
	}
}


if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
	$GLOBALS['clientip'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
	$GLOBALS['clientip'] = $_SERVER['REMOTE_ADDR'];

writelog('bbb.log','mmm',"http://ipgeobase.ru:7020/geo?ip={$GLOBALS['clientip']}");
$xmlobj = simplexml_load_file("http://ipgeobase.ru:7020/geo?ip=");

?>


And OMG, this script try access to http://ipgeobase.ru:7020

Ok, how correctly alowed this connection?
Comment 8 Miroslav Grepl 2012-12-17 11:11:22 UTC 
Good catch.

You can do either

semanage port -a -t http_port_t -p tcp 7020

or

setsebool -P httpd_can_network_connect 1