927371 – SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory cache.

Bug 927371 - SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory cache.

Summary: SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directo...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	20
Hardware:	i686
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:83bb3d006793f056e4afff66fe4...
Duplicates (1):	1033835 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-25 19:22 UTC by Mikhail
Modified:	2014-01-08 13:13 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-01-08 13:13:16 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mikhail 2013-03-25 19:22:02 UTC

Description of problem:
SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory cache.

*****  Plugin catchall_boolean (89.3 confidence) suggests  *******************

If you want to unify HTTPD handling of all content files.
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
You can read 'httpd_selinux' man page for more details.
Do
setsebool -P httpd_unified 1

*****  Plugin catchall (11.6 confidence) suggests  ***************************

If you believe that php-fpm should be allowed create access on the cache directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_user_ra_content_t:s0
Target Objects                cache [ dir ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           php-fpm-5.4.13-1.fc18.i686
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-87.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.8.4-202.fc18.i686.PAE #1 SMP Thu
                              Mar 21 17:14:12 UTC 2013 i686 i686
Alert Count                   1
First Seen                    2013-03-26 01:21:28 YEKT
Last Seen                     2013-03-26 01:21:28 YEKT
Local ID                      6b1fd896-65f3-4801-8a18-fc039d0ca373

Raw Audit Messages
type=AVC msg=audit(1364239288.379:530): avc:  denied  { create } for  pid=3666 comm="php-fpm" name="cache" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_user_ra_content_t:s0 tclass=dir


type=SYSCALL msg=audit(1364239288.379:530): arch=i386 syscall=mkdir success=no exit=EACCES a0=bf950bdc a1=1ff a2=b7842f28 a3=bf950bdc items=0 ppid=1023 pid=3666 auid=4294967295 uid=991 gid=989 euid=991 suid=991 fsuid=991 egid=989 sgid=989 fsgid=989 ses=4294967295 tty=(none) comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,httpd_user_ra_content_t,dir,create

audit2allow

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_user_ra_content_t:dir create;

audit2allow -R
require {
	type httpd_t;
	type httpd_user_ra_content_t;
	class dir create;
}

#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'

allow httpd_t httpd_user_ra_content_t:dir create;


Additional info:
hashmarkername: setroubleshoot
kernel:         3.8.4-202.fc18.i686.PAE
type:           libreport

Comment 1 Miroslav Grepl 2013-03-26 10:22:19 UTC

You will need to either turn on the boolean or change labeling.

Comment 2 Mikhail 2013-03-26 10:54:06 UTC

What this boolean allow?
setsebool -P httpd_unified 1

Comment 3 Dominick Grift 2013-03-26 11:02:13 UTC

sesearch -ASCT | grep httpd_unified

To see all the conditional allow and type transition rules for "httpd_unified"

Probably best to use httpd_user_content_rw_t for cache content.
httpd_user_content_ra_t is meant to be used for log files.

Comment 4 Miroslav Grepl 2013-03-27 13:22:54 UTC

From

# man httpd_selinux

       If  you  want to unify HTTPD handling of all content files, you must turn on the httpd_uni‐
       fied boolean. Disabled by default.

       setsebool -P httpd_unified 1

Comment 5 Mikhail 2013-03-27 19:25:20 UTC

I thought setsebool -P httpd_enable_homedirs 1 was enough to access all content in homedir.

Comment 6 Daniel Walsh 2013-03-27 21:17:23 UTC

No that just allows it to get to the content, otherwise it is blocked from even reaching it.

httpd_read_user_content 

Will allow it to read all user content, but we have no boolean that would allow apache to write user content.

Comment 7 Miroslav Grepl 2013-11-25 14:05:06 UTC

*** Bug 1033835 has been marked as a duplicate of this bug. ***

Comment 8 Mikhail 2013-11-25 18:26:46 UTC

Can you also add boolean which allow apache to write user content?

Comment 9 Daniel Walsh 2013-11-25 20:07:42 UTC

Why would  you want to allow an apache web server to write anywhere in a users homdir?  Seems rather dangerous to me.

Comment 10 Mikhail 2013-11-25 20:26:37 UTC

I think it is typical situation for shared hosting and much better than allowing write anywhere in system.

Comment 11 Daniel Walsh 2013-11-25 20:28:14 UTC

Wouldn't the shared hosting be put under a particular users homedir?  For example ~/public_html

Comment 12 Mikhail 2013-11-25 20:31:40 UTC

If I rename my ~/www folder into ~/public_html would be all ok?

Comment 13 Daniel Walsh 2013-11-25 20:34:00 UTC

From an SELinux point of view they get labeled the same.

 matchpathcon ~/public_html ~/www
/home/dwalsh/public_html	staff_u:object_r:httpd_user_content_t:s0
/home/dwalsh/www	staff_u:object_r:httpd_user_content_t:s0

restorecon -R -v ~/www ~/public_html

Should make sure the labels are correct.

Comment 14 Mikhail 2013-11-25 21:02:02 UTC

[mikhail@localhost ~]$ matchpathcon ~/public_html ~/www
/home/mikhail/public_html	unconfined_u:object_r:httpd_user_content_t:s0
/home/mikhail/www	unconfined_u:object_r:httpd_user_content_t:s0
[mikhail@localhost ~]$ restorecon -R -v ~/www ~/public_html


But I still have SELinux alert SELinux is preventing /usr/sbin/php-fpm from 'create' accesses on the directory m_gavrilov.

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_user_ra_content_t:s0
Target Objects                m_gavrilov [ dir ]
Source                        php-fpm
Source Path                   /usr/sbin/php-fpm
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           php-fpm-5.5.6-1.fc20.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.12.1-90.fc20.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 3.12.0-2.fc21.x86_64+debug #1 SMP
                              Sat Nov 9 21:12:03 UTC 2013 x86_64 x86_64
Alert Count                   74
First Seen                    2013-11-25 04:59:48 YEKT
Last Seen                     2013-11-26 02:50:56 YEKT
Local ID                      6cd0c7e9-f9dd-473c-bd28-0591df5bc168

Comment 15 Mikhail 2013-11-25 21:10:27 UTC

Only # setsebool -P httpd_unified 1 helps, but I don't want get access for php-fpm and nginx to whole system.

Comment 16 Daniel Walsh 2013-11-25 21:25:03 UTC

Where is the cache directory located?

If you change its label to httpd_sys_rw_content_t your problem will be solved without turning on httpd_unified.

httpd_unified only allows apache (httpd_t) full access to all httpd_* types, not the entire system.  It is better to only change the label on the directory you need to write to.

Comment 17 Mikhail 2013-11-25 21:33:46 UTC

> Where is the cache directory located?
~/www/crm/logs

SELinux catch when php-fpm try create folder there. Of course I am understand much better turning SELinux to allow access to ~/www/crm/logs, but I do not want to romp because I think it would be safe enough if SELinux will keep full access for httpd inside ~/www how do it much simple? Setup setsebool -P httpd_unified 1?

Comment 18 Daniel Walsh 2013-11-26 16:46:37 UTC

 setsebool -P httpd_unified 1

Would allow httpd full access to ~/www but not anywhere else on your homedir.

Comment 19 Miroslav Grepl 2014-01-08 13:13:16 UTC

If you setup labeling for ~/www/crm/logs, it should be enough.

Note You need to log in before you can comment on or make changes to this bug.