libreport version: 2.0.10 executable: /usr/bin/python2.7 hashmarkername: setroubleshoot kernel: 3.3.7-1.fc17.i686.PAE time: Сб. 26 мая 2012 19:51:22 description: :SELinux is preventing /usr/sbin/php-fpm from 'mmap_zero' accesses on the memprotect . : :***** Plugin mmap_zero (53.1 confidence) suggests ************************** : :If you do not think /usr/sbin/php-fpm should need to mmap low memory in the kernel. :Then you may be under attack by a hacker, this is a very dangerous access. :Do :contact your security administrator and report this issue. : :***** Plugin catchall_boolean (42.6 confidence) suggests ******************* : :If you want to control the ability to mmap a low area of the address space, as configured by /proc/sys/kernel/mmap_min_addr. :Then you must tell SELinux about this by enabling the 'mmap_low_allowed' boolean.You can read 'initrc_selinux' man page for more details. :Do :setsebool -P mmap_low_allowed 1 : :***** Plugin catchall (5.76 confidence) suggests *************************** : :If you believe that php-fpm should be allowed mmap_zero access on the memprotect by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context system_u:system_r:initrc_t:s0 :Target Context system_u:system_r:initrc_t:s0 :Target Objects [ memprotect ] :Source php-fpm :Source Path /usr/sbin/php-fpm :Port <Unknown> :Host (removed) :Source RPM Packages php-fpm-5.4.3-1.fc17.i386 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-125.fc17.noarch :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) 3.3.7-1.fc17.i686.PAE #1 SMP Mon May 21 : 22:42:05 UTC 2012 i686 i686 :Alert Count 1 :First Seen Сб. 26 мая 2012 19:51:00 :Last Seen Сб. 26 мая 2012 19:51:00 :Local ID b7b7a83d-b70b-4938-9da9-2cf5207565b8 : :Raw Audit Messages :type=AVC msg=audit(1338040260.656:361): avc: denied { mmap_zero } for pid=7439 comm="php-fpm" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=memprotect : : :type=SYSCALL msg=audit(1338040260.656:361): arch=i386 syscall=mmap2 success=no exit=EACCES a0=0 a1=100000 a2=3 a3=22 items=0 ppid=6156 pid=7439 auid=4294967295 uid=992 gid=989 euid=992 suid=992 fsuid=992 egid=989 sgid=989 fsgid=989 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:initrc_t:s0 key=(null) : :Hash: php-fpm,initrc_t,initrc_t,memprotect,mmap_zero : :audit2allowunable to open /sys/fs/selinux/policy: Permission denied : : :audit2allow -Runable to open /sys/fs/selinux/policy: Permission denied : :
What does # ps -eZ |grep initrc
[root@p5k ~]# ps -eZ |grep initrc system_u:system_r:initrc_t:s0 821 ? 00:00:01 php-fpm system_u:system_r:initrc_t:s0 826 ? 00:00:00 php-fpm system_u:system_r:initrc_t:s0 828 ? 00:00:26 php-fpm system_u:system_r:initrc_t:s0 832 ? 00:00:00 php-fpm system_u:system_r:initrc_t:s0 833 ? 00:00:00 php-fpm system_u:system_r:initrc_t:s0 834 ? 00:00:00 php-fpm system_u:system_r:initrc_t:s0 885 ? 00:00:00 nginx system_u:system_r:initrc_t:s0 886 ? 00:00:00 nginx system_u:system_r:initrc_t:s0 16067 ? 00:00:00 php-fpm system_u:system_r:initrc_t:s0 16082 ? 00:00:00 php-fpm [root@p5k ~]#
These services need a new policy. But this access is pretty danger and the alert tells you more info. Does php-fpm work as expected?
This SELinux alert occurs when php-fpm process needed much memory and begins use swap. I my case this occurs when php-fpm process try fetch large amount data from databases (by default php fetch all data in internal memory buffer).
Well we will not allow this access, you need to open a bug with php-fpm to fix the problem. They should not be allocating memory at the address they are picking.
Kernel bug I keep needing to fix :-( *** This bug has been marked as a duplicate of bug 746171 ***