Bug 1725104 - AVC denied httpd_execmem for php-fpm when php-opcache is installed [php:7.3]
Summary: AVC denied httpd_execmem for php-fpm when php-opcache is installed [php:7.3]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: php
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Web Stack Team
QA Contact: Jakub Heger
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-28 12:53 UTC by Joe Orton
Modified: 2019-11-05 20:56 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1670386
Environment:
Last Closed: 2019-11-05 20:56:39 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2019:3375 None None None 2019-11-05 20:56:43 UTC

Description Joe Orton 2019-06-28 12:53:04 UTC
+++ This bug was initially created as a clone of Bug #1670386 +++

Description of problem:
When package 'php-opcache' is installed then php-fpm cause selinux AVC.

Version-Release number of selected component (if applicable):
php-fpm-7.2.11-1.module+el8+2561+1aca3413

How reproducible:
Always

Steps to Reproduce:
1. yum install php php-fpm php-opcache
2. service php-fpm restart
3. ausearch -m AVC

Actual results:
----
time->Tue Jan 29 08:16:41 2019
type=PROCTITLE msg=audit(1548767801.906:957): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
type=SYSCALL msg=audit(1548767801.906:957): arch=c000003e syscall=9 success=no exit=-13 a0=55cc52600000 a1=200000 a2=7 a3=40032 items=0 ppid=1 pid=10585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1548767801.906:957): avc:  denied  { execmem } for  pid=10585 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
----
time->Tue Jan 29 08:16:41 2019
type=PROCTITLE msg=audit(1548767801.906:958): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
type=SYSCALL msg=audit(1548767801.906:958): arch=c000003e syscall=9 success=no exit=-13 a0=55cc52600000 a1=200000 a2=7 a3=32 items=0 ppid=1 pid=10585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1548767801.906:958): avc:  denied  { execmem } for  pid=10585 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0


type=AVC msg=audit(1545048868.378:1504): avc:  denied  { execmem } for  pid=17365 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0

Expected results:
no AVC.


Additional info:
No AVC if php-opcache is not installed.

--- Additional comment from Milos Malik on 2019-01-29 15:37:42 GMT ---

The execmem permission for httpd_t domain will not be allowed by default, because it's dangerous from SELinux point-of-view:

 * https://danwalsh.livejournal.com/73611.html
 * https://akkadia.org/drepper/selinux-mem.html

----
type=PROCTITLE msg=audit(01/29/2019 10:27:11.504:308) : proctitle=/usr/sbin/php-fpm --nodaemonize 
type=SYSCALL msg=audit(01/29/2019 10:27:11.504:308) : arch=x86_64 syscall=mmap success=no exit=EACCES(Permission denied) a0=0x55b45f400000 a1=0x200000 a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS|MAP_HUGETLB items=0 ppid=1 pid=6342 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null) 
type=AVC msg=audit(01/29/2019 10:27:11.504:308) : avc:  denied  { execmem } for  pid=6342 comm=php-fpm scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0 
----

If your use-case really needs such a permission, you have to enable the httpd_execmem boolean:

# setsebool -P httpd_execmem on

--- Additional comment from Remi Collet on 2019-06-28 13:24:38 BST ---

Need to test with opcache.huge_code_pages=0

--- Additional comment from Remi Collet on 2019-06-28 13:41:32 BST ---

2 possible fix:

1/ runtime

- change default provided configuration to opcache.huge_code_pages=0

(whichh may allow user to enable it....)

2/ buldtime

- add --disable-huge-code-pages build option
- clean configuration file

In both case, a configuration change is needed

Comment 6 errata-xmlrpc 2019-11-05 20:56:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2019:3375


Note You need to log in before you can comment on or make changes to this bug.