php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71532 Child terminates when SELinux denies access to library
Submitted: 2016-02-05 10:17 UTC Modified: 2023-11-16 10:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: david at davidsteinsland dot net Assigned:
Status: Open Package: FPM related
PHP Version: 5.6.18 OS: CentOS 7 64-bit
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at davidsteinsland dot net
New email:
PHP Version: OS:

 

 [2016-02-05 10:17 UTC] david at davidsteinsland dot net
Description:
------------
When I was setting up a PHP extension I compiled it by providing an absolute path to the library it needed. After installing, I copied the library to /usr/lib64.

The directory in which I compiled the extension, was /root/.
All seemed fine, running php -m showed the extension loaded.

However, php-fpm filled the log with:
[05-Feb-2016 10:57:05] NOTICE: Terminating ...
[05-Feb-2016 10:57:05] ALERT: oops, unknown child (16001) exited with code 0. Please open a bug report (https://bugs.php.net).
[05-Feb-2016 10:57:05] NOTICE: exiting, bye-bye!
[05-Feb-2016 10:57:05] NOTICE: fpm is running, pid 16137
[05-Feb-2016 10:57:05] NOTICE: ready to handle connections
[05-Feb-2016 10:57:05] NOTICE: systemd monitor interval set to 10000ms

When viewing the audit log, I noticed that PHP was trying to load the library (that the extension needed), from /root/:

type=AVC msg=audit(1454666387.325:13883): avc:  denied  { read } for  pid=16285 comm="php-fpm" name="libxl.so" dev="dm-0" ino=17751008 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Note the "admin_home_t" security context of the target.

I recompiled the extension, but this time I provided the absolute path to the library as /usr/lib64/libxl.so

Not a bug per sè, but it seems that php-fpm doesn't handles denial of access that SELinux causes. The log output doesn't tell anything about SELinux, only that the child terminated.


Expected result:
----------------
Library should be loaded from /usr/lib64/ in the first place.
Log should be more clear.

Actual result:
--------------
Library tried loaded from /root/.
Log not clear about this.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-04 17:53 UTC] bukka@php.net
-Package: FPM related +Package: Dynamic loading
 [2021-12-04 17:53 UTC] bukka@php.net
This is not really FPM issue as it cannot handle this case. From the FPM point of view the child crashed which is probably because loading of extension failed. I think the actual library path is already configurable so this part seems to me more like configuration issue possibly but it still shouldn't probably crash. It would be useful to get the child backtrace and see if anything can be done during loading and possibly better error reported.
 [2023-11-16 10:49 UTC] bukka@php.net
-Package: Dynamic loading +Package: FPM related
 [2023-11-16 10:49 UTC] bukka@php.net
I will set this back to FPM related in case there's anything we can do in terms of better reporting.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Nov 02 08:01:28 2024 UTC