Bug 836502 - RFE: add policy for php-fpm and alternative webservers
RFE: add policy for php-fpm and alternative webservers
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
: 836503 (view as bug list)
Depends On:
Blocks: 888740
  Show dependency treegraph
 
Reported: 2012-06-29 05:56 EDT by Jan Vcelak
Modified: 2013-03-03 20:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 888740 (view as bug list)
Environment:
Last Closed: 2013-01-06 22:59:32 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Vcelak 2012-06-29 05:56:11 EDT
Description of problem:

When PHP sites are served by alternative web server (nginx, lighttpd, cherokee, etc.) with php-fpm (PHP FastCGI Process Manager), SELinux does not provide as much security as with Apache webserver.

Nginx is becoming very popular recently [1], it is a pity we do not have a policy for it. And the only way to restrict the PHP is to run it trough mod_php in Apache as a backend for nginx proxy. (Which sucks.)

[1] http://news.netcraft.com/archives/2012/06/06/june-2012-web-server-survey.html


Version-Release number of selected component (if applicable):
any

How reproducible:


Steps to Reproduce:
1. install nginx and php-fpm, change php-fpm user from apache to nginx
2. systemctl start php-fpm.service nginx.service
3. ps axZ | grep -E '(nginx|php)'
  
Actual results:

system_u:system_r:initrc_t:s0    5334 ?        Ss     0:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:initrc_t:s0    5335 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5336 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5337 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5338 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5339 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5513 ?        Ss     0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:initrc_t:s0    5514 ?        S      0:00 nginx: worker process


Expected results:
ningx and php-fpm running is some more confined domain


Additional info:
Comment 1 Jan Vcelak 2012-06-29 06:02:17 EDT
*** Bug 836503 has been marked as a duplicate of this bug. ***
Comment 2 Miroslav Grepl 2012-06-29 07:26:44 EDT
Something tells me there was a problem with php-fpm and a new policy. Need to look at it.
Comment 3 Miroslav Grepl 2012-06-29 09:33:49 EDT
Actually Bryan wrote this policy so we have one which we can add.
Comment 4 Miroslav Grepl 2012-10-17 04:45:16 EDT
We have policy in F18. But we probably will move it to httpd policy.
Comment 5 Jan Vcelak 2012-10-17 06:23:13 EDT
Nice to see the progress. :-)
Comment 6 Miroslav Grepl 2012-12-16 05:22:00 EST
commit fd3d7d3bf47fa42fb2731b3446ace6b82b3017ec
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Sun Dec 16 11:20:11 2012 +0100

    Add support for php-fpm
Comment 7 Dominick Grift 2012-12-17 12:31:16 EST
We should probably make nginx run in httpd domain as well. If i am correct ngix is currently not targeted
Comment 8 Fedora Update System 2012-12-17 13:40:44 EST
selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17
Comment 9 Fedora Update System 2012-12-17 21:36:09 EST
Package selinux-policy-3.10.0-165.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17
then log in and leave karma (feedback).
Comment 10 Fedora Update System 2013-01-05 01:39:46 EST
Package selinux-policy-3.10.0-166.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-01-06 22:59:34 EST
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.