Bug 164700 - fopen refuses to open URL when selinux enforced
fopen refuses to open URL when selinux enforced
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: php (Show other bugs)
4
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Joe Orton
David Lawrence
: SELinux
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-30 11:48 EDT by Jirka Pech
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-08-01 03:51:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Audit log (991 bytes, text/plain)
2005-07-30 11:48 EDT, Jirka Pech
no flags Details

  None (edit)
Description Jirka Pech 2005-07-30 11:48:11 EDT
Hi Joe, Dan and Steven,
I'm not sure if this is the php, selinux or audit issue, so please forgive me
that I addressed it to you all. Possibly, it may be an upgrade issue, so please
forward this to whom it may concern.

Thank you,
Jirka Pech

Description of problem:

I have this simple php script on my FC4 box (upgraded from FC3):

<?php
  $fp = fopen("http://hq.cz", "r");
  if (! $fp) die('error');
  fclose($fp);
?>

which fails with:

Warning: fopen(http://hq.cz) [function.fopen]: failed to open stream: Permission
denied in /.. path removed ../test.php on line 2

Version-Release number of selected component (if applicable):
audit-libs-0.9.19-2.FC4
audit-0.9.19-2.FC4
selinux-policy-targeted-1.25.3-6 (tried also with 1.25.3-8)
libselinux-1.23.10-2
php-5.0.4-10.3
php-imap-5.0.4-10.3
php-mbstring-5.0.4-10.3
php-devel-5.0.4-10.3
php-pear-5.0.4-10.3
php-ldap-5.0.4-10.3
php-mysql-5.0.4-10.3
php-xmlrpc-5.0.4-10.3
php-gd-5.0.4-10.3
php-soap-5.0.4-10.3

How reproducible:
Always.

Steps to Reproduce:
1. Install FC3 and upgrade to FC4.
2. Run example script.
  
Actual results:
- fopen call fails with warning and there is no message in audit log concerning
that, even if the URL opening has been refused by SELinux targetted policy

Expected results:
- fopen should open the URL without any problem

Additional info:
- there is a strange message in audit log (please focus on line 4 of the
attachment) when trying to restart audit daemon,
- allow_url_fopen is enabled in php.ini

Everything works fine when:
- setenforce 0 is called,
- setenforce 1 is called but the script is called from the command line using
php -q test.php
Comment 1 Jirka Pech 2005-07-30 11:48:11 EDT
Created attachment 117311 [details]
Audit log
Comment 2 Joe Orton 2005-08-01 03:51:49 EDT
Please try "setsebool httpd_can_network_connect=1" (with -P to make the change
permanent.
Comment 3 Jirka Pech 2005-08-01 04:01:29 EDT
Thank you, Joe. It works, but it does not solve the problem with unrecognized
netlink message. Do you have any clue what it means? Should I report it as a
separate auditd bug?

Jirka Pech
Comment 4 Joe Orton 2005-08-01 04:17:19 EDT
If you are running the latest updates, then yes please.
Comment 5 Steve Grubb 2005-08-01 07:29:26 EDT
The unrecognized netlink message is covered by bz #163500, #155480, and #163175.
So...its well documented.

Note You need to log in before you can comment on or make changes to this bug.