Bug 927371
| Summary: | SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory cache. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mikhail <mikhail.v.gavrilov> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 20 | CC: | dominick.grift, dwalsh, mgrepl |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Unspecified | ||
| Whiteboard: | abrt_hash:83bb3d006793f056e4afff66fe45ca36dc99902be33b90bab0be23402502449a | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-01-08 13:13:16 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
You will need to either turn on the boolean or change labeling. What this boolean allow? setsebool -P httpd_unified 1 sesearch -ASCT | grep httpd_unified To see all the conditional allow and type transition rules for "httpd_unified" Probably best to use httpd_user_content_rw_t for cache content. httpd_user_content_ra_t is meant to be used for log files. From
# man httpd_selinux
If you want to unify HTTPD handling of all content files, you must turn on the httpd_uni‐
fied boolean. Disabled by default.
setsebool -P httpd_unified 1
I thought setsebool -P httpd_enable_homedirs 1 was enough to access all content in homedir. No that just allows it to get to the content, otherwise it is blocked from even reaching it. httpd_read_user_content Will allow it to read all user content, but we have no boolean that would allow apache to write user content. *** Bug 1033835 has been marked as a duplicate of this bug. *** Can you also add boolean which allow apache to write user content? Why would you want to allow an apache web server to write anywhere in a users homdir? Seems rather dangerous to me. I think it is typical situation for shared hosting and much better than allowing write anywhere in system. Wouldn't the shared hosting be put under a particular users homedir? For example ~/public_html If I rename my ~/www folder into ~/public_html would be all ok? From an SELinux point of view they get labeled the same. matchpathcon ~/public_html ~/www /home/dwalsh/public_html staff_u:object_r:httpd_user_content_t:s0 /home/dwalsh/www staff_u:object_r:httpd_user_content_t:s0 restorecon -R -v ~/www ~/public_html Should make sure the labels are correct. [mikhail@localhost ~]$ matchpathcon ~/public_html ~/www
/home/mikhail/public_html unconfined_u:object_r:httpd_user_content_t:s0
/home/mikhail/www unconfined_u:object_r:httpd_user_content_t:s0
[mikhail@localhost ~]$ restorecon -R -v ~/www ~/public_html
But I still have SELinux alert SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory m_gavrilov.
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_user_ra_content_t:s0
Target Objects m_gavrilov [ dir ]
Source php-fpm
Source Path /usr/sbin/php-fpm
Port <Unknown>
Host (removed)
Source RPM Packages php-fpm-5.5.6-1.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name (removed)
Platform Linux (removed) 3.12.0-2.fc21.x86_64+debug #1 SMP
Sat Nov 9 21:12:03 UTC 2013 x86_64 x86_64
Alert Count 74
First Seen 2013-11-25 04:59:48 YEKT
Last Seen 2013-11-26 02:50:56 YEKT
Local ID 6cd0c7e9-f9dd-473c-bd28-0591df5bc168
Only # setsebool -P httpd_unified 1 helps, but I don't want get access for php-fpm and nginx to whole system. Where is the cache directory located? If you change its label to httpd_sys_rw_content_t your problem will be solved without turning on httpd_unified. httpd_unified only allows apache (httpd_t) full access to all httpd_* types, not the entire system. It is better to only change the label on the directory you need to write to. > Where is the cache directory located?
~/www/crm/logs
SELinux catch when php-fpm try create folder there. Of course I am understand much better turning SELinux to allow access to ~/www/crm/logs, but I do not want to romp because I think it would be safe enough if SELinux will keep full access for httpd inside ~/www how do it much simple? Setup setsebool -P httpd_unified 1?
setsebool -P httpd_unified 1 Would allow httpd full access to ~/www but not anywhere else on your homedir. If you setup labeling for ~/www/crm/logs, it should be enough. |
Description of problem: SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory cache. ***** Plugin catchall_boolean (89.3 confidence) suggests ******************* If you want to unify HTTPD handling of all content files. Then you must tell SELinux about this by enabling the 'httpd_unified' boolean. You can read 'httpd_selinux' man page for more details. Do setsebool -P httpd_unified 1 ***** Plugin catchall (11.6 confidence) suggests *************************** If you believe that php-fpm should be allowed create access on the cache directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:httpd_user_ra_content_t:s0 Target Objects cache [ dir ] Source php-fpm Source Path /usr/sbin/php-fpm Port <Unknown> Host (removed) Source RPM Packages php-fpm-5.4.13-1.fc18.i686 Target RPM Packages Policy RPM selinux-policy-3.11.1-87.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.4-202.fc18.i686.PAE #1 SMP Thu Mar 21 17:14:12 UTC 2013 i686 i686 Alert Count 1 First Seen 2013-03-26 01:21:28 YEKT Last Seen 2013-03-26 01:21:28 YEKT Local ID 6b1fd896-65f3-4801-8a18-fc039d0ca373 Raw Audit Messages type=AVC msg=audit(1364239288.379:530): avc: denied { create } for pid=3666 comm="php-fpm" name="cache" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=dir type=SYSCALL msg=audit(1364239288.379:530): arch=i386 syscall=mkdir success=no exit=EACCES a0=bf950bdc a1=1ff a2=b7842f28 a3=bf950bdc items=0 ppid=1023 pid=3666 auid=4294967295 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) Hash: php-fpm,httpd_t,httpd_user_ra_content_t,dir,create audit2allow #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_user_ra_content_t:dir create; audit2allow -R require { type httpd_t; type httpd_user_ra_content_t; class dir create; } #============= httpd_t ============== #!!!! This avc can be allowed using the boolean 'httpd_unified' allow httpd_t httpd_user_ra_content_t:dir create; Additional info: hashmarkername: setroubleshoot kernel: 3.8.4-202.fc18.i686.PAE type: libreport