Description of problem: When PHP sites are served by alternative web server (nginx, lighttpd, cherokee, etc.) with php-fpm (PHP FastCGI Process Manager), SELinux does not provide as much security as with Apache webserver. Nginx is becoming very popular recently [1], it is a pity we do not have a policy for it. And the only way to restrict the PHP is to run it trough mod_php in Apache as a backend for nginx proxy. (Which sucks.) [1] http://news.netcraft.com/archives/2012/06/06/june-2012-web-server-survey.html Version-Release number of selected component (if applicable): any How reproducible: Steps to Reproduce: 1. install nginx and php-fpm, change php-fpm user from apache to nginx 2. systemctl start php-fpm.service nginx.service 3. ps axZ | grep -E '(nginx|php)' Actual results: system_u:system_r:initrc_t:s0 5334 ? Ss 0:00 php-fpm: master process (/etc/php-fpm.conf) system_u:system_r:initrc_t:s0 5335 ? S 0:00 php-fpm: pool www system_u:system_r:initrc_t:s0 5336 ? S 0:00 php-fpm: pool www system_u:system_r:initrc_t:s0 5337 ? S 0:00 php-fpm: pool www system_u:system_r:initrc_t:s0 5338 ? S 0:00 php-fpm: pool www system_u:system_r:initrc_t:s0 5339 ? S 0:00 php-fpm: pool www system_u:system_r:initrc_t:s0 5513 ? Ss 0:00 nginx: master process /usr/sbin/nginx system_u:system_r:initrc_t:s0 5514 ? S 0:00 nginx: worker process Expected results: ningx and php-fpm running is some more confined domain Additional info:
*** Bug 836503 has been marked as a duplicate of this bug. ***
Something tells me there was a problem with php-fpm and a new policy. Need to look at it.
Actually Bryan wrote this policy so we have one which we can add.
We have policy in F18. But we probably will move it to httpd policy.
Nice to see the progress. :-)
commit fd3d7d3bf47fa42fb2731b3446ace6b82b3017ec Author: Miroslav Grepl <mgrepl> Date: Sun Dec 16 11:20:11 2012 +0100 Add support for php-fpm
We should probably make nginx run in httpd domain as well. If i am correct ngix is currently not targeted
selinux-policy-3.10.0-165.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-165.fc17
Package selinux-policy-3.10.0-165.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-165.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-165.fc17 then log in and leave karma (feedback).
Package selinux-policy-3.10.0-166.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-166.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-20544/selinux-policy-3.10.0-166.fc17 then log in and leave karma (feedback).
selinux-policy-3.10.0-166.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.