Description of problem: SELinux is preventing php-fpm from 'execute' accesses on the file 2F616E6F6E5F6875676570616765202864656C6574656429. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that php-fpm should be allowed execute access on the 2F616E6F6E5F6875676570616765202864656C6574656429 file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm # semodule -X 300 -i my-phpfpm.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:object_r:hugetlbfs_t:s0 Target Objects 2F616E6F6E5F6875676570616765202864656C6574656429 [ file ] Source php-fpm Source Path php-fpm Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-249.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Permissive Host Name (removed) Platform Linux (removed) 4.11.0-0.rc7.git0.1.fc26.x86_64+debug #1 SMP Mon Apr 17 17:55:44 UTC 2017 x86_64 x86_64 Alert Count 5 First Seen 2017-04-15 21:53:06 +05 Last Seen 2017-04-21 01:23:28 +05 Local ID 81fac950-5154-435f-82e1-9a15678e7b03 Raw Audit Messages type=AVC msg=audit(1492719808.962:2193): avc: denied { execute } for pid=14637 comm="php-fpm" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=2462238 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file permissive=1 Hash: php-fpm,httpd_t,hugetlbfs_t,file,execute Version-Release number of selected component: selinux-policy-3.13.1-249.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc7.git0.1.fc26.x86_64+debug type: libreport
I am seeing the same here (but on RHEL and for php-cli rather php-fpm). Can this get addressed on Fedora at least, please? This must be somehow related to PHP 7.x: type=AVC msg=audit(1504861022.452:11575): avc: denied { execute } for pid=63316 comm="php" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=4487400 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file type=SYSCALL msg=audit(1504861022.452:11575): arch=c000003e syscall=9 success=no exit=-13 a0=55ba83c00000 a1=200000 a2=7 a3=40032 items=0 ppid=1 pid=63316 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php" exe="/opt/remi/php70/root/usr/bin/php" subj=system_u:system_r:httpd_t:s0 key=(null)
*** Bug 1507289 has been marked as a duplicate of this bug. ***
Fixed in Fedora26+. This fix will be part of the next updates.
Is that a large change? Do you see a chance that this could get backported to RHEL 7 (when using SCLs), if I file a bug report?
Create a BZ for RHEL7 please.
Done, it's bug #1507682 (for those stumbling over it via Google like me).
Just using "ausearch -i -if /dev/stdin" to interpret hexadecimal strings: ---- type=SYSCALL msg=audit(09/08/2017 10:57:02.452:11575) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x55ba83c00000 a1=0x200000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_HUGETLB items=0 ppid=1 pid=63316 auid=unset uid=unknown(48) gid=unknown(48) euid=unknown(48) suid=unknown(48) fsuid=unknown(48) egid=unknown(48) sgid=unknown(48) fsgid=unknown(48) tty=(none) ses=unset comm=php type=AVC msg=audit(09/08/2017 10:57:02.452:11575) : avc: denied { execute } for pid=63316 comm=php path=/anon_hugepage (deleted) dev="hugetlbfs" ino=4487400 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file ----
selinux-policy-3.13.1-260.16.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
selinux-policy-3.13.1-260.16.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
selinux-policy-3.13.1-260.17.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-39e6a2f7e7
selinux-policy-3.13.1-260.17.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.