Bug 1502303 - php-fpm crashed with default SELinux settings
Summary: php-fpm crashed with default SELinux settings
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1491503 1513816 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-15 14:57 UTC by Mikhail
Modified: 2017-11-20 16:55 UTC (History)
10 users (show)

Fixed In Version: selinux-policy-3.13.1-283.16.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-20 16:55:56 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Mikhail 2017-10-15 14:57:06 UTC
Description of problem:

$ sudo coredumpctl gdb
           PID: 21302 (php-fpm)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 11 (SEGV)
     Timestamp: Sun 2017-10-15 19:02:56 +05 (48min ago)
  Command Line: /usr/sbin/php-fpm --nodaemonize
    Executable: /usr/sbin/php-fpm
 Control Group: /system.slice/php-fpm.service
          Unit: php-fpm.service
         Slice: system.slice
       Boot ID: de62dd2f0afb4d71b6864d503ba2a7d0
    Machine ID: d07bbde21f124e5d9ea60b6b850217ae
      Hostname: localhost.localdomain
       Storage: /var/lib/systemd/coredump/core.php-fpm.0.de62dd2f0afb4d71b6864d503ba2a7d0.21302.1508076176000000.lz4
       Message: Process 21302 (php-fpm) of user 0 dumped core.
                
                Stack trace of thread 21302:
                #0  0x00007fb3b1a8a48e pthread_rwlock_init (libpthread.so.0)
                #1  0x00007fb39fc0b480 apc_lock_create (apcu.so)
                #2  0x00007fb39fc0ff34 apc_sma_api_init (apcu.so)
                #3  0x00007fb39fc0c3b7 zm_startup_apcu (apcu.so)
                #4  0x000055f57b12de94 zend_startup_module_ex (php-fpm)
                #5  0x000055f57b12df6c zend_startup_module_zval (php-fpm)
                #6  0x000055f57b13b93a zend_hash_apply (php-fpm)
                #7  0x000055f57b12e25a zend_startup_modules (php-fpm)
                #8  0x000055f57b0c595b php_module_startup (php-fpm)
                #9  0x000055f57b1d9695 php_cgi_startup (php-fpm)
                #10 0x000055f57af9d160 main (php-fpm)
                #11 0x00007fb3b1ec103a __libc_start_main (libc.so.6)
                #12 0x000055f57af9e63a _start (php-fpm)


(gdb) thread apply all bt

Thread 1 (Thread 0x7fb3b514ad00 (LWP 21302)):
#0  __pthread_rwlock_init (rwlock=rwlock@entry=0xffffffffffffffff, attr=attr@entry=0x7fb39fe186c8 <apc_lock_attr>) at pthread_rwlock_init.c:39
#1  0x00007fb39fc0b480 in apc_lock_create (lock=lock@entry=0xffffffffffffffff) at /usr/src/debug/php-pecl-apcu-5.1.8-4.fc27.x86_64/NTS/apc_lock.c:177
#2  0x00007fb39fc0ff34 in apc_sma_api_init (sma=0x7fb39fe182a0 <apc_sma>, data=<optimized out>, expunge=<optimized out>, num=<optimized out>, size=<optimized out>, mask=<optimized out>)
    at /usr/src/debug/php-pecl-apcu-5.1.8-4.fc27.x86_64/NTS/apc_sma.c:323
#3  0x00007fb39fc0c3b7 in zm_startup_apcu (type=<optimized out>, module_number=51) at /usr/src/debug/php-pecl-apcu-5.1.8-4.fc27.x86_64/NTS/php_apc.c:237
#4  0x000055f57b12de94 in zend_startup_module_ex (module=0x55f57c2ab7f0) at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/Zend/zend_API.c:1843
#5  0x000055f57b12df6c in zend_startup_module_zval (zv=<optimized out>) at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/Zend/zend_API.c:1858
#6  0x000055f57b13b93a in zend_hash_apply (ht=ht@entry=0x55f57b533be0 <module_registry>, apply_func=apply_func@entry=0x55f57b12df60 <zend_startup_module_zval>)
    at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/Zend/zend_hash.c:1507
#7  0x000055f57b12e25a in zend_startup_modules () at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/Zend/zend_API.c:1969
#8  0x000055f57b0c595b in php_module_startup (sf=<optimized out>, additional_modules=<optimized out>, num_additional_modules=<optimized out>) at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/main/main.c:2300
#9  0x000055f57b1d9695 in php_cgi_startup (sapi_module=<optimized out>) at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/sapi/fpm/fpm/fpm_main.c:838
#10 0x000055f57af9d160 in main (argc=2, argv=0x7ffd7bb06568) at /usr/src/debug/php-7.1.11~RC1-1.fc27.x86_64/sapi/fpm/fpm/fpm_main.c:1810
(gdb)

Comment 1 George Nikandrov 2017-11-11 06:45:42 UTC
Isn't it something

Comment 2 George Nikandrov 2017-11-11 06:47:00 UTC
(In reply to George Nikandrov from comment #1)
> Isn't it something
Sorry. Isn't is something that rather should be reported to selinux-policy? php-fpm starts up just fine if I do
# setenforce 0 && systemctl start php-fpm.service && setenforce 1

Comment 3 Remi Collet 2017-11-15 09:45:32 UTC
*** Bug 1491503 has been marked as a duplicate of this bug. ***

Comment 4 Remi Collet 2017-11-15 09:46:19 UTC
Indeed we have a AVC in audit.log

type=AVC msg=audit(1510739045.320:324): avc:  denied  { map } for  pid=6597 comm="php-fpm" path=2F746D702F6170632E656C37596B31202864656C6574656429 dev="tmpfs" ino=75782 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=file permissive=0

Comment 5 Remi Collet 2017-11-15 09:47:53 UTC
Reaffecting to selinux, as this is something wrong with default F27 policy

Comment 6 Remi Collet 2017-11-15 09:49:44 UTC
Reproducer:
  dnf install php-fpm php-pecl-apcu
  systemctl start php-fpm

Comment 7 Remi Collet 2017-11-16 07:20:41 UTC
*** Bug 1513816 has been marked as a duplicate of this bug. ***

Comment 8 Fedora Update System 2017-11-16 15:11:10 UTC
selinux-policy-3.13.1-283.16.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 9 Fedora Update System 2017-11-17 18:55:39 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-5178e6a393

Comment 10 Fedora Update System 2017-11-20 16:55:56 UTC
selinux-policy-3.13.1-283.16.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.