Red Hat Bugzilla – Bug 836503
RFE: add policy for php-fpm and alternative webservers
Last modified: 2013-03-03 20:30:54 EST
Description of problem:
When PHP sites are served by alternative web server (nginx, lighttpd, cherokee, etc.) with php-fpm (PHP FastCGI Process Manager), SELinux does not provide as much security as with Apache webserver.
Nginx is becoming very popular recently , it is a pity we do not have a policy for it. And the only way to restrict the PHP is to run it trough mod_php in Apache as a backend for nginx proxy. (Which sucks.)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. install nginx and php-fpm, change php-fpm user from apache to nginx
2. systemctl start php-fpm.service nginx.service
3. ps axZ | grep -E '(nginx|php)'
system_u:system_r:initrc_t:s0 5334 ? Ss 0:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:initrc_t:s0 5335 ? S 0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0 5336 ? S 0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0 5337 ? S 0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0 5338 ? S 0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0 5339 ? S 0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0 5513 ? Ss 0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:initrc_t:s0 5514 ? S 0:00 nginx: worker process
ningx and php-fpm running is some more confined domain
Submitted twice by mistake (due to bugzilla proxy error).
*** This bug has been marked as a duplicate of bug 836502 ***
I have suggested we run nginx in httpd_t just like lightttp, apache as well as cherokee a while ago.
However selinux policy upstream maintainer rejected it:
I still believe this is the way to go.
You can apply these changes manually by using semanage fcontext to tell selinux how the various nginx locations should be labeled and apply these specs with restorecon -R -v ...
There is also a policy submitted upstream for php-fpm here:
I personally have my reservations about this policy however i do not have enough information and knowledge of php-fpm to make a good and solid argument against it.
My suggestion is to also run php-fpm in httpd_t since i *suspect* that php-fpm needs much of the same access that webservers do.
I might be wrong.