I just upgraded my web server to Fedora 25. Soon as HTTP and php-fpm-server start up, floods of AVCs start appearing in the system log: Nov 24 15:45:30 www.happyassassin.net audit[6584]: AVC avc: denied { execmem } for pid=6584 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 there are hundreds of them. Using the technique found at https://unix.stackexchange.com/questions/287831/how-to-work-out-why-apache-is-attempting-execmem , I got the same result multiple people got there: it's caused by the PHP PCRE JIT feature, which is enabled by default, in 7.0. If I edit /etc/php.ini and change this line: ;pcre.jit=1 to: pcre.jit=0 the problem goes away. If we can't fix this not to use execmem, we should flip the default for that setting. Note that even though the docs claim it can be set anywhere, if I create a /etc/php.d/99-happyassassin.ini with this content: [Pcre] pcre.jit=0 it doesn't seem to work, execmems still occur. Not sure what's going on with that.
I cannot reproduce the ini file issue... strange, works for me (try without the section name, which is uneeded) Indeed, I can reproduce the AVC and indeed switching pcre.jit=0 fix it I will update the provided configuration in next build (7.0.14 planed for Dec 8th)
F26/PHP-7.1: http://pkgs.fedoraproject.org/cgit/rpms/php.git/commit/?id=f5482baa0c1ae8a3063bbaf342ea7634f759d4de F25/PHP-7.0: http://pkgs.fedoraproject.org/cgit/rpms/php.git/commit/?h=f25&id=2bc76e8f1bfcc41a89d2146e234b5de5c8f227e9
thanks for that. the only thing that worries me is that many people will have modified php.ini locally and so will not get the change. could we flip the default in the code so that you have to have an explicit '=1' in config somewhere to get it?
Indeed, I usually never alter provided configuration in stable branch. BTW: - F25 is just released - this AVC is not critical (it still works) - I want to avoid non-upstream patch as much as possible My plan is to talk with upstream about this default value.
These days people probably are probably more likely to use php.d files (still can't figure out why I can't turn this off with one, though - yes, I've tried without a module name...), but it was pretty common practice for a long time to edit php.ini directly... the AVC isn't critical indeed, but it absolutely spams the system logs, as it occurs dozens or hundreds of times a minute (for me at least) and winds up in both the journal and audit.log. Ideal fix would, I guess, be to make the JIT thing work without needing execmem in the first place. No idea how possible/hard that is.
php-7.0.13-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-b03e84b3e5
Notice: bug #1290432
php-7.0.13-2.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-b03e84b3e5
Also see pcre upstream bug: https://bugs.exim.org/show_bug.cgi?id=1749
php-7.0.13-2.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Error still keeps coming up on Fedora 26 and PHP 7.1.11.
@gaxweb, check your pcre.jit configuration (should be 0 from default provided configuration file)
(In reply to Remi Collet from comment #12) > @gaxweb, check your pcre.jit configuration > (should be 0 from default provided configuration file) I'm aware of that workaround. It's not a solution though, and the bot has closed the bug, which is why I replied. I'm also aware that it's being worked on elsewhere.
Default php.ini use pcre.jit=0 If you have altered your configuration, RPM cannot do anything else (one of the reason, changing php.ini is terribly bad idea, and the worst way to change php configuration)