This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1253259 - SELinux is not allowing PHP-FPM's slowlog timeout capability
SELinux is not allowing PHP-FPM's slowlog timeout capability
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.2
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-13 06:55 EDT by Milos Malik
Modified: 2015-12-18 10:43 EST (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1223989
Environment:
Last Closed: 2015-12-18 10:43:14 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
CentOS 8741 None None None Never

  None (edit)
Description Milos Malik 2015-08-13 06:55:32 EDT
+++ This bug was initially created as a clone of Bug #1223989 +++

Please, review the downstream bug: http://bugs.centos.org/view.php?id=8741

If you enable:

slowlog = /var/log/php-fpm/www-slow.log
request_slowlog_timeout = 5s

On /etc/php-fpm.d/www.conf, SELinux will start complaining:

ausearch -i -sv no -ts recent | grep ptrace
type=SYSCALL msg=audit(05/21/2015 21:37:21.028:14259) : arch=x86_64 syscall=ptrace success=no exit=-1(Operation not permitted) a0=PTRACE_ATTACH a1=0x33ea a2=0x0 a3=0x0 items=0 ppid=1 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(05/21/2015 21:37:21.028:14259) : avc: denied { sys_ptrace } for pid=1385 comm=php-fpm capability=sys_ptrace scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability

--- Additional comment from RHEL Product and Program Management on 2015-05-21 18:00:07 EDT ---

Since this bug report was entered in bugzilla, the release flag has been
set to ? to ensure that it is properly evaluated for this release.

--- Additional comment from Milos Malik on 2015-05-22 05:34:12 EDT ---

Which version of selinux-policy do you have on your machine?

--- Additional comment from Renich Bon Ciric on 2015-05-22 05:51:57 EDT ---

(In reply to Milos Malik from comment #2)
> Which version of selinux-policy do you have on your machine?

# rpm -q selinux-policy
selinux-policy-3.7.19-260.el6_6.3.noarch

--- Additional comment from Milos Malik on 2015-05-22 07:14:32 EDT ---

Hi David, what's the easiest way to configure httpd to use php-fpm?

--- Additional comment from Renich Bon Ciric on 2015-06-01 16:53:16 EDT ---

do you need info from me or dkutalek?

--- Additional comment from Milos Malik on 2015-06-02 03:28:08 EDT ---

The latest policy (3.7.19-271.el6) contains a dontaudit rule which prevents the AVC from appearing:

# sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --allow -C

# sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --dontaudit -C
Found 1 semantic av rules:
DT dontaudit httpd_t httpd_t : capability sys_ptrace ; [ httpd_run_stickshift ]

#

But the rule is active only if the httpd_run_stickshift boolean is enabled.

Unfortunately, I don't see the AVC even if the boolean is disabled. When I start the php-fpm service (configuration from comment#0 was applied before) the AVC does not appear. How long do you keep the php-fpm running until you see any AVCs? Do you run a stress test on php-fpm ?

--- Additional comment from Renich Bon Ciric on 2015-06-03 07:11:08 EDT ---

(In reply to Milos Malik from comment #6)
> The latest policy (3.7.19-271.el6) contains a dontaudit rule which prevents
> the AVC from appearing:
> 
> # sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --allow -C
> 
> # sesearch -s httpd_t -t httpd_t -c capability -p sys_ptrace --dontaudit -C
> Found 1 semantic av rules:
> DT dontaudit httpd_t httpd_t : capability sys_ptrace ; [
> httpd_run_stickshift ]
> 
> #
> 
> But the rule is active only if the httpd_run_stickshift boolean is enabled.

I will enable the boolean to see if it helps.

> Unfortunately, I don't see the AVC even if the boolean is disabled. When I
> start the php-fpm service (configuration from comment#0 was applied before)
> the AVC does not appear. How long do you keep the php-fpm running until you
> see any AVCs? Do you run a stress test on php-fpm ?

As soon as I get a request, I see the AVC.

Note You need to log in before you can comment on or make changes to this bug.