The default php-fpm service is using PrivateTmp (maybe it would do the same without it): ``` # It's not recommended to modify this file in-place, because it # will be overwritten during upgrades. If you want to customize, # the best way is to use the "systemctl edit" command. [Unit] Description=The PHP FastCGI Process Manager After=syslog.target network.target [Service] Type=notify ExecStart=/usr/sbin/php-fpm --nodaemonize ExecReload=/bin/kill -USR2 $MAINPID PrivateTmp=true RuntimeDirectory=php-fpm RuntimeDirectoryMode=0755 [Install] WantedBy=multi-user.target ``` The default tmp folder for php-fpm have the `httpd_tmp_t` type: ``` # nsenter -t 2795763 -m ls -lahZ /tmp *total 0 drwxrwxrwt. 3 root root system_u:object_r:tmp_t:s0 60 Jan 16 16:33 . dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0 138 Sep 13 04:36 .. drwxr-xr-x. 2 librenms librenms system_u:object_r:httpd_tmp_t:s0 60 Jan 16 16:25 HTML ``` ``` # nsenter -t 2795763 -m ls -lahZ /tmp/HTML total 96K drwxr-xr-x. 2 librenms librenms system_u:object_r:httpd_tmp_t:s0 60 Jan 16 16:25 . drwxrwxrwt. 3 root root system_u:object_r:tmp_t:s0 60 Jan 16 16:33 .. -rw-r--r--. 1 librenms librenms system_u:object_r:httpd_tmp_t:s0 94K Jan 16 16:25 4.15.0,f474c0a322b208e83d22d3aef33ecb184bc71d31,1.ser ``` When I'm trying to restart php-fpm with `systemctl restart php-fpm.service`, I'll get this error: ``` # audit2allow -a #============= init_t ============== allow init_t httpd_tmp_t:dir { remove_name rmdir } ``` Note that in the default namespace there is no folder using this type: `find / -xdev -type d -context '*httpd_tmp_t*' -printf '%-50Z%p\n'` prints no result. Reproducible: Always Steps to Reproduce: 1. dnf install -y php-fpm php-opcache 2. systemctl enable --now php-fpm 3. use php to write in its tmp folder 4. systemctl restart php-fpm 5. audit2allow -a Actual Results: # audit2allow -a #============= init_t ============== allow init_t httpd_tmp_t:dir { remove_name rmdir } # Expected Results: # audit2allow -a #
Hello, Can you please share unfiltered AVC denials? Can you use a local module to see if the following rule is sufficient? f39# cat local_phpfpm_privatetmp.cil (typeattributeset systemd_private_tmp_type httpd_tmp_t) f39# semodule -i local_phpfpm_privatetmp.cil <reproduce> f39# semodule -r local_phpfpm_privatetmp
Hi, Here are the AVC, is this enough for you or do you need another output? ``` # grep httpd_tmp_t /var/log/audit/audit.log type=AVC msg=audit(1705416946.390:978789): avc: denied { remove_name } for pid=2719019 comm="(sd-rmrf)" name="4.15.0,f474c0a322b208e83d22d3aef33ecb184bc71d31,1.ser" dev="tmpfs" ino=621 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1705416946.390:978790): avc: denied { rmdir } for pid=2719019 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=620 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 ``` I can reproduce the same issue on my laptop, so here are the tests with your module, it looks like your module is enough: ``` $ systemctl show --property=MainPID --value php-fpm.service 7484 $ sudo nsenter -t 7484 -m mkdir -p /tmp/HTML/test $ sudo nsenter -t 7484 -m chcon system_u:object_r:httpd_tmp_t:s0 /tmp/HTML $ sudo nsenter -t 7484 -m ls -lahZ /tmp total 0 drwxrwxrwt. 3 root root system_u:object_r:tmp_t:s0 60 17 janv. 11:20 . dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0 192 24 nov. 14:41 .. drwxr-xr-x. 3 root root system_u:object_r:httpd_tmp_t:s0 60 17 janv. 11:20 HTML $ sudo systemctl restart php-fpm $ sudo grep httpd_tmp_t /var/log/audit/audit.log type=AVC msg=audit(1705486932.024:438): avc: denied { remove_name } for pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1705486932.024:439): avc: denied { rmdir } for pid=8044 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 $ sudo audit2allow -a #============= init_t ============== allow init_t httpd_tmp_t:dir { remove_name rmdir }; $ sudo semodule -i local_phpfpm_privatetmp.cil $ sudo nsenter -t 7484 -m ls -lahZ /tmp nsenter: cannot open /proc/7484/ns/mnt: Aucun fichier ou dossier de ce type $ systemctl show --property=MainPID --value php-fpm.service 8046 $ sudo nsenter -t 8046 -m ls -lahZ /tmp total 0 drwxrwxrwt. 2 root root system_u:object_r:tmp_t:s0 40 17 janv. 11:22 . dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0 192 24 nov. 14:41 .. $ sudo nsenter -t 8046 -m mkdir -p /tmp/HTML/test $ sudo nsenter -t 8046 -m chcon system_u:object_r:httpd_tmp_t:s0 /tmp/HTML $ sudo systemctl restart php-fpm $ sudo grep httpd_tmp_t /var/log/audit/audit.log type=AVC msg=audit(1705486932.024:438): avc: denied { remove_name } for pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1705486932.024:439): avc: denied { rmdir } for pid=8044 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0 ``` Also even if systemd cannot delete the directory, it looks like the namespace is properly deleted (before your module installation).
Also, the real use case is a LibreNMS installation.
No further data needed at the moment. Can you remove your module from policy and use the one I provided instead?
Yes that's what I did on my laptop to reproduce the bug and see there was no more avc after I installed your policy.
Thank you for your cooperation.
FEDORA-2024-334b3be641 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-334b3be641` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 stable repository. If problem still persists, please make note of it in this bug report.