Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1875138
Summary: | php-fpm can't write into redis' socket (Fedora) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Felix Schwarz <fschwarz> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 32 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, plautrba, vmojzis, zpytela |
Target Milestone: | --- | Keywords: | Reopened, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.5-44.fc32 selinux-policy-3.14.5-45.fc32 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-11-25 01:42:29 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Felix Schwarz
2020-09-02 22:17:41 UTC
Porting the patch: https://github.com/fedora-selinux/selinux-policy-contrib/pull/331 It required some polishing, but content is the same. Thank you :-) Will this change also hit F32 at some point via "selinux-policy-targeted" or do I need to install an extra package for that? It will be a part of the next F32 build, too. FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0 FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. somehow the update does not fix the problem for me: # rpm -q selinux-policy-targeted selinux-policy-targeted-3.14.5-44.fc32.noarch type=AVC msg=audit(1601824904.270:201): avc: denied { write } for pid=1125 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=23973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=1 type=AVC msg=audit(1601824904.270:202): avc: denied { connectto } for pid=1125 comm="php-fpm" path="/run/redis-nc/redis-nc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:redis_t:s0 tclass=unix_stream_socket permissive=1 I don't know enough about all the macros used in the selinux policy definitions but is there a way for me to debug this further? FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. as I mentioned in comment #6 the update does not fix the problem for me. Any pointers in how to debug this further? Hi, I managed to find a glitch in the original 2015 commit - not sure if something changed since then or if it was a typo even that time: redis_t vs redisd_t. The other permission is then a result of not accepting the whole macro. Thank you for pointing to the problem; I don't think there is another way how to debug but verifying using sesearch like # sesearch -A -s httpd_t -t redis_t -c unix_stream_socket -p connectto allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True # sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write <> https://github.com/fedora-selinux/selinux-policy-contrib/pull/338 ah good catch - I should have spotted that myself. Thank you very much for your quick response - your SElinux work (+ fellow Red Hatters) really makes SElinux usable in Fedora. FEDORA-2020-77b49aa207 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207 FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-77b49aa207` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates. I can confirm that the latest update fixes the problem for me. Thank you very much. FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report. |