php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71532 Child terminates when SELinux denies access to library
Submitted: 2016-02-05 10:17 UTC Modified: 2023-11-16 10:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: david at davidsteinsland dot net Assigned:
Status: Open Package: FPM related
PHP Version: 5.6.18 OS: CentOS 7 64-bit
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: david at davidsteinsland dot net
New email:
PHP Version: OS:

 

 [2016-02-05 10:17 UTC] david at davidsteinsland dot net
Description:
------------
When I was setting up a PHP extension I compiled it by providing an absolute path to the library it needed. After installing, I copied the library to /usr/lib64.

The directory in which I compiled the extension, was /root/.
All seemed fine, running php -m showed the extension loaded.

However, php-fpm filled the log with:
[05-Feb-2016 10:57:05] NOTICE: Terminating ...
[05-Feb-2016 10:57:05] ALERT: oops, unknown child (16001) exited with code 0. Please open a bug report (https://bugs.php.net).
[05-Feb-2016 10:57:05] NOTICE: exiting, bye-bye!
[05-Feb-2016 10:57:05] NOTICE: fpm is running, pid 16137
[05-Feb-2016 10:57:05] NOTICE: ready to handle connections
[05-Feb-2016 10:57:05] NOTICE: systemd monitor interval set to 10000ms

When viewing the audit log, I noticed that PHP was trying to load the library (that the extension needed), from /root/:

type=AVC msg=audit(1454666387.325:13883): avc:  denied  { read } for  pid=16285 comm="php-fpm" name="libxl.so" dev="dm-0" ino=17751008 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Note the "admin_home_t" security context of the target.

I recompiled the extension, but this time I provided the absolute path to the library as /usr/lib64/libxl.so

Not a bug per sè, but it seems that php-fpm doesn't handles denial of access that SELinux causes. The log output doesn't tell anything about SELinux, only that the child terminated.


Expected result:
----------------
Library should be loaded from /usr/lib64/ in the first place.
Log should be more clear.

Actual result:
--------------
Library tried loaded from /root/.
Log not clear about this.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-04 17:53 UTC] bukka@php.net
-Package: FPM related +Package: Dynamic loading
 [2021-12-04 17:53 UTC] bukka@php.net
This is not really FPM issue as it cannot handle this case. From the FPM point of view the child crashed which is probably because loading of extension failed. I think the actual library path is already configurable so this part seems to me more like configuration issue possibly but it still shouldn't probably crash. It would be useful to get the child backtrace and see if anything can be done during loading and possibly better error reported.
 [2023-11-16 10:49 UTC] bukka@php.net
-Package: Dynamic loading +Package: FPM related
 [2023-11-16 10:49 UTC] bukka@php.net
I will set this back to FPM related in case there's anything we can do in terms of better reporting.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Tue Jan 07 12:01:29 2025 UTC