Bug 836503 - RFE: add policy for php-fpm and alternative webservers
RFE: add policy for php-fpm and alternative webservers
Status: CLOSED DUPLICATE of bug 836502
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
17
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-29 05:58 EDT by Jan Vcelak
Modified: 2013-03-03 20:30 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-29 06:02:17 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Vcelak 2012-06-29 05:58:28 EDT
Description of problem:

When PHP sites are served by alternative web server (nginx, lighttpd, cherokee, etc.) with php-fpm (PHP FastCGI Process Manager), SELinux does not provide as much security as with Apache webserver.

Nginx is becoming very popular recently [1], it is a pity we do not have a policy for it. And the only way to restrict the PHP is to run it trough mod_php in Apache as a backend for nginx proxy. (Which sucks.)

[1] http://news.netcraft.com/archives/2012/06/06/june-2012-web-server-survey.html


Version-Release number of selected component (if applicable):
any

How reproducible:


Steps to Reproduce:
1. install nginx and php-fpm, change php-fpm user from apache to nginx
2. systemctl start php-fpm.service nginx.service
3. ps axZ | grep -E '(nginx|php)'
  
Actual results:

system_u:system_r:initrc_t:s0    5334 ?        Ss     0:00 php-fpm: master process (/etc/php-fpm.conf)
system_u:system_r:initrc_t:s0    5335 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5336 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5337 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5338 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5339 ?        S      0:00 php-fpm: pool www
system_u:system_r:initrc_t:s0    5513 ?        Ss     0:00 nginx: master process /usr/sbin/nginx
system_u:system_r:initrc_t:s0    5514 ?        S      0:00 nginx: worker process


Expected results:
ningx and php-fpm running is some more confined domain


Additional info:
Comment 1 Jan Vcelak 2012-06-29 06:02:17 EDT
Submitted twice by mistake (due to bugzilla proxy error).

*** This bug has been marked as a duplicate of bug 836502 ***
Comment 2 Dominick Grift 2012-06-29 06:19:24 EDT
I have suggested we run nginx in httpd_t just like lightttp, apache as well as cherokee a while ago.

However selinux policy upstream maintainer rejected it:

http://oss.tresys.com/pipermail/refpolicy/2011-March/004135.html

I still believe this is the way to go.

You can apply these changes manually by using semanage fcontext to tell selinux how the various nginx locations should be labeled and apply these specs with restorecon -R -v ...
Comment 3 Dominick Grift 2012-06-29 06:38:28 EDT
There is also a policy submitted upstream for php-fpm here:

http://oss.tresys.com/pipermail/refpolicy/2012-June/005176.html

I personally have my reservations about this policy however i do not have enough information and knowledge of php-fpm to make a good and solid argument against it.

My suggestion is to also run php-fpm in httpd_t since i *suspect* that php-fpm needs much of the same access that webservers do.

I might be wrong.

Note You need to log in before you can comment on or make changes to this bug.