This is basically the same as bug 1178210 but for Fedora: # sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write (no output) type=AVC msg=audit(1599084877.724:25272): avc: denied { write } for pid=53901 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=1119585 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=0
Porting the patch: https://github.com/fedora-selinux/selinux-policy-contrib/pull/331 It required some polishing, but content is the same.
Thank you :-) Will this change also hit F32 at some point via "selinux-policy-targeted" or do I need to install an extra package for that?
It will be a part of the next F32 build, too.
FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
somehow the update does not fix the problem for me: # rpm -q selinux-policy-targeted selinux-policy-targeted-3.14.5-44.fc32.noarch type=AVC msg=audit(1601824904.270:201): avc: denied { write } for pid=1125 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=23973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1601824904.270:202): avc: denied { connectto } for pid=1125 comm="php-fpm" path="/run/redis-nc/redis-nc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:redis_t:s0 tclass=unix_stream_socket permissive=1 I don't know enough about all the macros used in the selinux policy definitions but is there a way for me to debug this further?
FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
as I mentioned in comment #6 the update does not fix the problem for me. Any pointers in how to debug this further?
Hi, I managed to find a glitch in the original 2015 commit - not sure if something changed since then or if it was a typo even that time: redis_t vs redisd_t. The other permission is then a result of not accepting the whole macro. Thank you for pointing to the problem; I don't think there is another way how to debug but verifying using sesearch like # sesearch -A -s httpd_t -t redis_t -c unix_stream_socket -p connectto allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True # sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write <> https://github.com/fedora-selinux/selinux-policy-contrib/pull/338
ah good catch - I should have spotted that myself. Thank you very much for your quick response - your SElinux work (+ fellow Red Hatters) really makes SElinux usable in Fedora.
FEDORA-2020-77b49aa207 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207
FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-77b49aa207` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
I can confirm that the latest update fixes the problem for me. Thank you very much.
FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.