Bug 887710 - SELinux is preventing /usr/sbin/php-fpm from 'name_connect' accesses on the tcp_socket .
Summary: SELinux is preventing /usr/sbin/php-fpm from 'name_connect' accesses on the t...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 18
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:6b40485f5678dad81fa4426591a...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-17 04:15 UTC by Mikhail
Modified: 2012-12-17 11:11 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-17 11:11:22 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
www.conf (9.78 KB, application/octet-stream)
2012-12-17 08:51 UTC, Mikhail 		no flags Details
View All

Description Mikhail 2012-12-17 04:15:16 UTC 
Description of problem:
Just open page below in google-chrome!!


http://example.com/test.php
SELinux is preventing /usr/sbin/php-fpm from 'name_connect' accesses on the tcp_socket .

*****  Plugin connect_ports (99.5 confidence) suggests  **********************

If you want to allow /usr/sbin/php-fpm to connect to network port 7020
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 7020
    where PORT_TYPE is one of the following: dns_port_t, ocsp_port_t, kerberos_port_t, http_port_t, ocsp_port_t, kerberos_port_t.

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that php-fpm should be allowed name_connect access on the  tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                 [ tcp_socket ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          7020
Host                          (removed)
Source RPM Packages           php-fpm-5.4.9-1.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-62.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.6.10-5.fc18.i686.PAE #1 SMP Fri
                              Dec 14 17:25:56 UTC 2012 i686 i686
Alert Count                   3
First Seen                    2012-12-17 10:11:58 YEKT
Last Seen                     2012-12-17 10:13:24 YEKT
Local ID                      a558b89f-95cb-4729-8831-78712ac563e1

Raw Audit Messages
type=AVC msg=audit(1355717604.189:1635): avc:  denied  { name_connect } for  pid=7357 comm="php-fpm" dest=7020 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket


type=SYSCALL msg=audit(1355717604.189:1635): arch=i386 syscall=socketcall success=no exit=EACCES a0=3 a1=bfb0d0b0 a2=83f0000 a3=6 items=0 ppid=7353 pid=7357 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,unreserved_port_t,tcp_socket,name_connect

audit2allow

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;

audit2allow -R

#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     nis_enabled, httpd_can_network_connect

allow httpd_t unreserved_port_t:tcp_socket name_connect;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.6.10-5.fc18.i686.PAE
type:           libreport
Comment 1 Mikhail 2012-12-17 04:30:07 UTC 
I am really don't know why Web page just contained "#!/usr/bin/php" string occurs this SELinux alert.
Comment 2 Mikhail 2012-12-17 04:30:26 UTC 
Also with Firefox.
Comment 3 Miroslav Grepl 2012-12-17 08:12:37 UTC 
Are you using NIS? Does everything work?
Comment 4 Mikhail 2012-12-17 08:15:29 UTC 
Sorry, what is NIS?
Comment 5 Miroslav Grepl 2012-12-17 08:46:58 UTC 
Is tcp/7020 port defined in the php-fpm configuration?
Comment 6 Mikhail 2012-12-17 08:51:55 UTC 
Created attachment 664727 [details]
www.conf
Comment 7 Mikhail 2012-12-17 10:20:17 UTC 
Ohh very interesting situation:

1. example.com -> resolve host as 127.0.0.1
2. I have at localhost test.php with follow content:


#!/usr/bin/php
<?php
/**
 * Create or append log file in log calogue
 * @param string $fname file name log file
 * @param string $key name of key
 * @param string $value
 */
function writelog($fname, $key, $value = NULL) {
	global $program_dir;
	if(empty($_SESSION['user']['login'])) $user = $GLOBALS['clientip']; else $user = $_SESSION['user']['login'];
	if(($handler = fopen($user.'-'.$fname, "a")) !== false) {
		$datetime = strtotime("now");
		$logMsg = gmdate("r", $datetime)." ".$user." ".$key;
		if(isset($value)) $logMsg .= "=".print_r($value,true);
		$logMsg .= "\n";
		fputs($handler, $logMsg);
		fclose($handler);
	}
}


if(isset($_SERVER['HTTP_X_FORWARDED_FOR']))
	$GLOBALS['clientip'] = $_SERVER['HTTP_X_FORWARDED_FOR'];
else
	$GLOBALS['clientip'] = $_SERVER['REMOTE_ADDR'];

writelog('bbb.log','mmm',"http://ipgeobase.ru:7020/geo?ip={$GLOBALS['clientip']}");
$xmlobj = simplexml_load_file("http://ipgeobase.ru:7020/geo?ip=");

?>


And OMG, this script try access to http://ipgeobase.ru:7020

Ok, how correctly alowed this connection?
Comment 8 Miroslav Grepl 2012-12-17 11:11:22 UTC 
Good catch.

You can do either

semanage port -a -t http_port_t -p tcp 7020

or

setsebool -P httpd_can_network_connect 1
Note You need to log in before you can comment on or make changes to this bug.