Bug 2258637 - [selinux] systemd cannot flush the privatetmp cache used by php-fpm
Summary: [selinux] systemd cannot flush the privatetmp cache used by php-fpm
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 39
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-01-16 16:56 UTC by felix.bouynot
Modified: 2024-01-30 04:22 UTC (History)
8 users (show)

Fixed In Version: selinux-policy-39.4-1.fc39
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2024-01-30 04:22:13 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github fedora-selinux selinux-policy pull 1999 0 None Merged Allow httpd work with PrivateTmp 2024-01-19 16:15:01 UTC

Description felix.bouynot 2024-01-16 16:56:27 UTC 
The default php-fpm service is using PrivateTmp (maybe it would do the same without it): 

```
# It's not recommended to modify this file in-place, because it
# will be overwritten during upgrades.  If you want to customize,
# the best way is to use the "systemctl edit" command.

[Unit]
Description=The PHP FastCGI Process Manager
After=syslog.target network.target

[Service]
Type=notify
ExecStart=/usr/sbin/php-fpm --nodaemonize
ExecReload=/bin/kill -USR2 $MAINPID
PrivateTmp=true
RuntimeDirectory=php-fpm
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
```






The default tmp folder for php-fpm have the `httpd_tmp_t` type:

```
# nsenter -t 2795763 -m ls -lahZ /tmp
*total 0
drwxrwxrwt. 3 root     root     system_u:object_r:tmp_t:s0        60 Jan 16 16:33 .
dr-xr-xr-x. 1 root     root     system_u:object_r:root_t:s0      138 Sep 13 04:36 ..
drwxr-xr-x. 2 librenms librenms system_u:object_r:httpd_tmp_t:s0  60 Jan 16 16:25 HTML
```
```
# nsenter -t 2795763 -m ls -lahZ /tmp/HTML
total 96K
drwxr-xr-x. 2 librenms librenms system_u:object_r:httpd_tmp_t:s0  60 Jan 16 16:25 .
drwxrwxrwt. 3 root     root     system_u:object_r:tmp_t:s0        60 Jan 16 16:33 ..
-rw-r--r--. 1 librenms librenms system_u:object_r:httpd_tmp_t:s0 94K Jan 16 16:25 4.15.0,f474c0a322b208e83d22d3aef33ecb184bc71d31,1.ser
```






When I'm trying to restart php-fpm with `systemctl restart php-fpm.service`, I'll get this error:
```
# audit2allow -a
#============= init_t ==============

allow init_t httpd_tmp_t:dir { remove_name rmdir }
```






Note that in the default namespace there is no folder using this type: `find / -xdev -type d -context '*httpd_tmp_t*' -printf '%-50Z%p\n'` prints no result.

Reproducible: Always

Steps to Reproduce:
1. dnf install -y php-fpm php-opcache
2. systemctl enable --now php-fpm
3. use php to write in its tmp folder
4. systemctl restart php-fpm
5. audit2allow -a
Actual Results:  
# audit2allow -a
#============= init_t ==============

allow init_t httpd_tmp_t:dir { remove_name rmdir }
#

Expected Results:  
# audit2allow -a
#
Comment 1 Zdenek Pytela 2024-01-16 17:29:43 UTC 
Hello,

Can you please share unfiltered AVC denials?

Can you use a local module to see if the following rule is sufficient?


f39# cat local_phpfpm_privatetmp.cil 
(typeattributeset systemd_private_tmp_type httpd_tmp_t)
f39# semodule -i local_phpfpm_privatetmp.cil
<reproduce>
f39# semodule -r local_phpfpm_privatetmp
Comment 2 felix.bouynot 2024-01-17 10:34:16 UTC 
Hi,

Here are the AVC, is this enough for you or do you need another output?
```
# grep httpd_tmp_t /var/log/audit/audit.log
type=AVC msg=audit(1705416946.390:978789): avc:  denied  { remove_name } for  pid=2719019 comm="(sd-rmrf)" name="4.15.0,f474c0a322b208e83d22d3aef33ecb184bc71d31,1.ser" dev="tmpfs" ino=621 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1705416946.390:978790): avc:  denied  { rmdir } for  pid=2719019 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=620 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
```






I can reproduce the same issue on my laptop, so here are the tests with your module, it looks like your module is enough: 
```
$ systemctl show --property=MainPID --value php-fpm.service
7484
$ sudo nsenter -t 7484 -m mkdir -p /tmp/HTML/test
$ sudo nsenter -t 7484 -m chcon system_u:object_r:httpd_tmp_t:s0 /tmp/HTML
$ sudo nsenter -t 7484 -m ls -lahZ /tmp
total 0
drwxrwxrwt. 3 root root system_u:object_r:tmp_t:s0        60 17 janv. 11:20 .
dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0      192 24 nov.  14:41 ..
drwxr-xr-x. 3 root root system_u:object_r:httpd_tmp_t:s0  60 17 janv. 11:20 HTML
$ sudo systemctl restart php-fpm
$ sudo grep httpd_tmp_t /var/log/audit/audit.log
type=AVC msg=audit(1705486932.024:438): avc:  denied  { remove_name } for  pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1705486932.024:439): avc:  denied  { rmdir } for  pid=8044 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
$ sudo audit2allow -a


#============= init_t ==============
allow init_t httpd_tmp_t:dir { remove_name rmdir };
$ sudo semodule -i local_phpfpm_privatetmp.cil
$ sudo nsenter -t 7484 -m ls -lahZ /tmp
nsenter: cannot open /proc/7484/ns/mnt: Aucun fichier ou dossier de ce type
$ systemctl show --property=MainPID --value php-fpm.service
8046
$ sudo nsenter -t 8046 -m ls -lahZ /tmp
total 0
drwxrwxrwt. 2 root root system_u:object_r:tmp_t:s0   40 17 janv. 11:22 .
dr-xr-xr-x. 1 root root system_u:object_r:root_t:s0 192 24 nov.  14:41 ..
$ sudo nsenter -t 8046 -m mkdir -p /tmp/HTML/test
$ sudo nsenter -t 8046 -m chcon system_u:object_r:httpd_tmp_t:s0 /tmp/HTML
$ sudo systemctl restart php-fpm
$ sudo grep httpd_tmp_t /var/log/audit/audit.log
type=AVC msg=audit(1705486932.024:438): avc:  denied  { remove_name } for  pid=8044 comm="(sd-rmrf)" name="test" dev="tmpfs" ino=169 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1705486932.024:439): avc:  denied  { rmdir } for  pid=8044 comm="(sd-rmrf)" name="HTML" dev="tmpfs" ino=168 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_tmp_t:s0 tclass=dir permissive=0
```

Also even if systemd cannot delete the directory, it looks like the namespace is properly deleted (before your module installation).
Comment 3 felix.bouynot 2024-01-17 10:57:13 UTC 
Also, the real use case is a LibreNMS installation.
Comment 4 Zdenek Pytela 2024-01-17 11:29:48 UTC 
No further data needed at the moment. Can you remove your module from policy and use the one I provided instead?
Comment 5 felix.bouynot 2024-01-17 12:21:26 UTC 
Yes that's what I did on my laptop to reproduce the bug and see there was no more avc after I installed your policy.
Comment 6 Zdenek Pytela 2024-01-18 19:56:24 UTC 
Thank you for your cooperation.
Comment 7 Fedora Update System 2024-01-26 23:20:05 UTC 
FEDORA-2024-334b3be641 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641
Comment 8 Fedora Update System 2024-01-27 02:35:19 UTC 
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2024-334b3be641`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2024-334b3be641

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2024-01-30 04:22:13 UTC 
FEDORA-2024-334b3be641 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.