php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71532 Child terminates when SELinux denies access to library
Submitted: 2016-02-05 10:17 UTC Modified: -
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: david at davidsteinsland dot net Assigned:
Status: Open Package: FPM related
PHP Version: 5.6.18 OS: CentOS 7 64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at davidsteinsland dot net
New email:
PHP Version: OS:

 

 [2016-02-05 10:17 UTC] david at davidsteinsland dot net
Description:
------------
When I was setting up a PHP extension I compiled it by providing an absolute path to the library it needed. After installing, I copied the library to /usr/lib64.

The directory in which I compiled the extension, was /root/.
All seemed fine, running php -m showed the extension loaded.

However, php-fpm filled the log with:
[05-Feb-2016 10:57:05] NOTICE: Terminating ...
[05-Feb-2016 10:57:05] ALERT: oops, unknown child (16001) exited with code 0. Please open a bug report (https://bugs.php.net).
[05-Feb-2016 10:57:05] NOTICE: exiting, bye-bye!
[05-Feb-2016 10:57:05] NOTICE: fpm is running, pid 16137
[05-Feb-2016 10:57:05] NOTICE: ready to handle connections
[05-Feb-2016 10:57:05] NOTICE: systemd monitor interval set to 10000ms

When viewing the audit log, I noticed that PHP was trying to load the library (that the extension needed), from /root/:

type=AVC msg=audit(1454666387.325:13883): avc:  denied  { read } for  pid=16285 comm="php-fpm" name="libxl.so" dev="dm-0" ino=17751008 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Note the "admin_home_t" security context of the target.

I recompiled the extension, but this time I provided the absolute path to the library as /usr/lib64/libxl.so

Not a bug per sè, but it seems that php-fpm doesn't handles denial of access that SELinux causes. The log output doesn't tell anything about SELinux, only that the child terminated.


Expected result:
----------------
Library should be loaded from /usr/lib64/ in the first place.
Log should be more clear.

Actual result:
--------------
Library tried loaded from /root/.
Log not clear about this.

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Dec 18 18:01:27 2018 UTC