1875138 – php-fpm can't write into redis' socket (Fedora)

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1875138 - php-fpm can't write into redis' socket (Fedora)

Summary: php-fpm can't write into redis' socket (Fedora)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	32
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-09-02 22:17 UTC by Felix Schwarz
Modified:	2020-11-25 01:42 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.14.5-44.fc32 selinux-policy-3.14.5-45.fc32
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-11-25 01:42:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Felix Schwarz 2020-09-02 22:17:41 UTC

This is basically the same as bug 1178210 but for Fedora:

# sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write
(no output)

type=AVC msg=audit(1599084877.724:25272): avc:  denied  { write } for  pid=53901 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=1119585 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=0

Comment 1 Zdenek Pytela 2020-09-03 13:15:41 UTC

Porting the patch:

https://github.com/fedora-selinux/selinux-policy-contrib/pull/331

It required some polishing, but content is the same.

Comment 2 Felix Schwarz 2020-09-03 14:25:10 UTC

Thank you :-)

Will this change also hit F32 at some point via "selinux-policy-targeted" or do I need to install an extra package for that?

Comment 3 Zdenek Pytela 2020-09-03 14:47:38 UTC

It will be a part of the next F32 build, too.

Comment 4 Fedora Update System 2020-10-02 07:03:52 UTC

FEDORA-2020-9896f80cf0 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

Comment 5 Fedora Update System 2020-10-03 02:09:09 UTC

FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-9896f80cf0`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-9896f80cf0

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 6 Felix Schwarz 2020-10-04 15:36:10 UTC

somehow the update does not fix the problem for me:

# rpm -q selinux-policy-targeted
selinux-policy-targeted-3.14.5-44.fc32.noarch

type=AVC msg=audit(1601824904.270:201): avc:  denied  { write } for  pid=1125 comm="php-fpm" name="redis-nc.sock" dev="tmpfs" ino=23973 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:redis_var_run_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1601824904.270:202): avc:  denied  { connectto } for  pid=1125 comm="php-fpm" path="/run/redis-nc/redis-nc.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:redis_t:s0 tclass=unix_stream_socket permissive=1

I don't know enough about all the macros used in the selinux policy definitions but is there a way for me to debug this further?

Comment 7 Fedora Update System 2020-10-05 17:32:45 UTC

FEDORA-2020-9896f80cf0 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Felix Schwarz 2020-10-06 08:17:54 UTC

as I mentioned in comment #6 the update does not fix the problem for me. Any pointers in how to debug this further?

Comment 9 Zdenek Pytela 2020-10-07 09:12:16 UTC

Hi,

I managed to find a glitch in the original 2015 commit - not sure if something changed since then or if it was a typo even that time: redis_t vs redisd_t. The other permission is then a result of not accepting the whole macro.

Thank you for pointing to the problem; I don't think there is another way how to debug but verifying using sesearch like

# sesearch -A -s httpd_t -t redis_t -c unix_stream_socket -p connectto
allow daemon daemon:unix_stream_socket connectto; [ daemons_enable_cluster_mode ]:True
# sesearch -A -s httpd_t -t redis_var_run_t -c sock_file -p write
<>

https://github.com/fedora-selinux/selinux-policy-contrib/pull/338

Comment 10 Felix Schwarz 2020-10-07 09:18:54 UTC

ah good catch - I should have spotted that myself. Thank you very much for your quick response - your SElinux work (+ fellow Red Hatters) really makes SElinux usable in Fedora.

Comment 11 Fedora Update System 2020-11-09 18:46:13 UTC

FEDORA-2020-77b49aa207 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207

Comment 12 Fedora Update System 2020-11-10 02:20:40 UTC

FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-77b49aa207`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-77b49aa207

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Felix Schwarz 2020-11-10 22:35:12 UTC

I can confirm that the latest update fixes the problem for me. Thank you very much.

Comment 14 Fedora Update System 2020-11-25 01:42:29 UTC

FEDORA-2020-77b49aa207 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.