Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 882467 - SELinux is preventing /usr/sbin/php-fpm (deleted) from 'create' accesses on the file m_gavrilov-error.log.
Summary: SELinux is preventing /usr/sbin/php-fpm (deleted) from 'create' accesses on t...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:74c1864b5aa0460100ff8fe4c04...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-01 07:21 UTC by Mikhail
Modified: 2012-12-18 06:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-18 06:54:41 UTC
Type: ---


Attachments (Terms of Use)
File: description (2.49 KB, text/plain)
2012-12-01 07:21 UTC, Mikhail
no flags Details

Description Mikhail 2012-12-01 07:21:00 UTC
Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.7-5.fc18.i686.PAE
type:           libreport

Comment 1 Mikhail 2012-12-01 07:21:03 UTC
Created attachment 655424 [details]
File: description

Comment 2 Mikhail 2012-12-02 11:11:04 UTC
I am run sudo setsebool -P httpd_enable_homedirs 1
but php-fpm still cannot write to home directory :(

this php code
if(($handler = fopen($program_dir.'/logs/'.$user.'-'.$fname, "a")) !== false)

Comment 3 Dominick Grift 2012-12-02 12:00:47 UTC
setsebool -P httpd_enable_homedirs 1

Only allows httpd_t to traverse "~", if you use this you will still need to label the content that phpfpm is trying to manage with types that phpfpm can manage.

I will give you an example

Lets assume you have a webapp here: ~/public_html/webapp
You have a log content for the webaop here: ~/public_html/webapp/logs

you set the boolean httpd_enable_homedirs and you make sure that apache or httpd user can traverse "~" from a traditional Linux securit perspective (something like for example chmod o+x /home/Mikhail

The ~/public_html should automatically have been labeled with type httpd_user_content_t and phpfpm can read that content.

But phpfpm opens the log file in ~/public_html/webapp/logs for append and phpfpm is not allowed to append to files labeled with type httpd_user_content_t

So you will need to use the chcon command to label the logs directory and its content that phpfpm can append to.

type httpd_user_content_ra_t should allow this:

chcon -R -t httpd_user_content_ra_t ~/public_html/webapp/logs

else type httpd_user_content_rw_t will (its a bit broader)

By labeling the various content according to their properties you ensure optimal integrity of your webapp content.

Comment 4 Mikhail 2012-12-02 12:49:03 UTC
chcon not solve this problem.

What is wrong here?

$ sudo chcon -R -t -v httpd_user_content_ra_t ~/www/bes/logs
chcon: cannot access ‘httpd_user_content_ra_t’: No such file or directory
chcon: failed to change context of ‘readme’ to ‘unconfined_u:object_r:-v:s0’: Invalid argument
chcon: failed to change context of ‘/home/mikhail/www/bes/logs’ to ‘unconfined_u:object_r:-v:s0’: Invalid argument

Comment 5 Mikhail 2012-12-02 12:49:46 UTC
[mikhail@localhost ~]$ sudo chcon -Rvt httpd_user_content_ra_t ~/www/bes/logs
changing security context of ‘/home/mikhail/www/bes/logs/readme’
changing security context of ‘/home/mikhail/www/bes/logs’
[mikhail@localhost ~]$ ls -laZ ~/w
winetricks  www/        
[mikhail@localhost ~]$ ls -laZ ~/www/bes/logs/
drwxrwx---. mikhail mikhail unconfined_u:object_r:httpd_user_ra_content_t:s0 .
drwxrwx---. mikhail mikhail unconfined_u:object_r:httpd_user_ra_content_t:s0 ..
-rwxrwx---. mikhail mikhail unconfined_u:object_r:httpd_user_ra_content_t:s0 readme

Comment 6 Dominick Grift 2012-12-02 13:23:45 UTC
No need to use sudo for this.

Is it working now?

Comment 7 Mikhail 2012-12-02 13:28:56 UTC
no, still occurs SELinux alert

Comment 8 Dominick Grift 2012-12-02 13:53:08 UTC
can you show the current avc denial?

Comment 9 Mikhail 2012-12-02 14:39:22 UTC
type=AVC msg=audit(1354458193.470:38976): avc:  denied  { create } for  pid=6597 comm="php-fpm" name="m_gavrilov-sql.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=file
type=SYSCALL msg=audit(1354458193.470:38976): arch=40000003 syscall=5 success=no exit=-13 a0=9c09364 a1=441 a2=1b6 a3=0 items=0 ppid=6592 pid=6597 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354458193.471:38977): avc:  denied  { create } for  pid=6597 comm="php-fpm" name="m_gavrilov-sql.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=file
type=SYSCALL msg=audit(1354458193.471:38977): arch=40000003 syscall=5 success=no exit=-13 a0=9c0919c a1=441 a2=1b6 a3=0 items=0 ppid=6592 pid=6597 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354458193.471:38978): avc:  denied  { create } for  pid=6597 comm="php-fpm" name="m_gavrilov-sql.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=file
type=SYSCALL msg=audit(1354458193.471:38978): arch=40000003 syscall=5 success=no exit=-13 a0=9c0919c a1=441 a2=1b6 a3=0 items=0 ppid=6592 pid=6597 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354458193.472:38979): avc:  denied  { create } for  pid=6597 comm="php-fpm" name="m_gavrilov-sql.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=file
type=SYSCALL msg=audit(1354458193.472:38979): arch=40000003 syscall=5 success=no exit=-13 a0=9c092ac a1=441 a2=1b6 a3=0 items=0 ppid=6592 pid=6597 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354458193.479:38980): avc:  denied  { create } for  pid=6597 comm="php-fpm" name="m_gavrilov-sql.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=file
type=SYSCALL msg=audit(1354458193.479:38980): arch=40000003 syscall=5 success=no exit=-13 a0=9c0c0dc a1=441 a2=1b6 a3=0 items=0 ppid=6592 pid=6597 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1354458193.490:38981): avc:  denied  { create } for  pid=6597 comm="php-fpm" name="m_gavrilov-sql.log" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=file
type=SYSCALL msg=audit(1354458193.490:38981): arch=40000003 syscall=5 success=no exit=-13 a0=9c2a158 a1=441 a2=1b6 a3=0 items=0 ppid=6592 pid=6597 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)

Comment 10 Dominick Grift 2012-12-02 15:31:26 UTC
ok try httpd_user_content_rw_t instead (this is a bug)

Comment 11 Dominick Grift 2012-12-02 15:35:22 UTC
httpd_t should be able to create httpd_user_content_ra_t files

create read setattr and append to be more precise

The httpd_user and sys_content_ra_t is a file type that can be used for logging.

The only difference with httpd_user_content_rw_t should be that httpd_t cannot write to httpd_user_content_ra_t files

Comment 12 Mikhail 2012-12-02 15:37:14 UTC
(In reply to comment #10)
> ok try httpd_user_content_rw_t instead (this is a bug)

Thanks, it help. And now my web application is work.

Comment 13 Daniel Walsh 2012-12-06 21:26:31 UTC
Dominick you want to add

	create_files_pattern(httpd_$1_script_t, httpd_$1_ra_content_t, httpd_$1_ra_content_t)

to apache_content_type()

Comment 14 Dominick Grift 2012-12-06 21:59:39 UTC
You mean apache_content_template()

Yes, refpolicy already has this so this should trickle down with the next merge.

Feel free to add it to Fedora now if you want to. I currently have some computer issues that prevent me to do that currently.

Comment 15 Daniel Walsh 2012-12-06 22:12:08 UTC
Fixed in selinux-policy-3.11.1-61.fc18.noarch

Comment 16 Fedora Update System 2012-12-11 17:51:46 UTC
selinux-policy-3.11.1-62.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-62.fc18

Comment 17 Fedora Update System 2012-12-11 23:28:19 UTC
Package selinux-policy-3.11.1-62.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-62.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-20203/selinux-policy-3.11.1-62.fc18
then log in and leave karma (feedback).

Comment 18 Fedora Update System 2012-12-17 17:39:56 UTC
selinux-policy-3.11.1-66.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-66.fc18

Comment 19 Fedora Update System 2012-12-18 06:54:43 UTC
selinux-policy-3.11.1-66.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.