Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1897517
Summary: | php-fpm can't write into redis' socket | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Rik Theys <rik.theys> |
Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 8.2 | CC: | angystardust, dwalsh, lvrabec, mgrepl, mmalik, plautrba, pvrabec, renich, ssekidde |
Target Milestone: | rc | Keywords: | Triaged |
Target Release: | 8.7 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.14.3-98.el8 | Doc Type: | No Doc Update |
Doc Text: | Story Points: | --- | |
Clone Of: | 1178210 | Environment: | |
Last Closed: | 2022-11-08 10:43:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rik Theys
2020-11-13 10:08:58 UTC
The /var/run/redis/redis.sock is mislabeled. Please run the following command which fixes the label: # restorecon -Rv /var/run/redis Hi, The redis socket does seem to have the correct selinux label: [root@XXX redis]# restorecon -Rvn /var/run/redis [root@XXX redis]# ls -lZ /var/run/redis/ total 0 srwxrwxrwx. 1 redis redis system_u:object_r:redis_var_run_t:s0 0 Nov 13 11:18 redis.sock [root@XXX log]# ausearch -m avc |grep -i redis type=AVC msg=audit(1605261575.507:1755): avc: denied { write } for pid=175150 comm="php-fpm" name="redis.sock" dev="tmpfs" ino=4726705 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=0 What is the label this socket should have? I've currently created the following selinux module to allow this: module esat_redis 1.0; require { type httpd_t; type redis_var_run_t; class sock_file write; } #============= httpd_t ============== allow httpd_t redis_var_run_t:sock_file write; Regards, Rik The redis_var_run_t label is correct for the socket and the policy module you created is correct too. # rpm -qa selinux\* selinux-policy-targeted-3.14.3-54.el8.noarch selinux-policy-3.14.3-54.el8.noarch # sesearch -s httpd_t -t redis_var_run_t -c sock_file -p write -A --dontaudit # Unfortunately, SELinux policy in RHEL-8.3 does not allow that access. Candidate for fixing in RHEL-8.4? Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (selinux-policy bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2022:7691 |