php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71532 Child terminates when SELinux denies access to library
Submitted: 2016-02-05 10:17 UTC Modified: 2021-12-04 17:53 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: david at davidsteinsland dot net Assigned:
Status: Open Package: Dynamic loading
PHP Version: 5.6.18 OS: CentOS 7 64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: david at davidsteinsland dot net
New email:
PHP Version: OS:

 

 [2016-02-05 10:17 UTC] david at davidsteinsland dot net 
Description:
------------
When I was setting up a PHP extension I compiled it by providing an absolute path to the library it needed. After installing, I copied the library to /usr/lib64.

The directory in which I compiled the extension, was /root/.
All seemed fine, running php -m showed the extension loaded.

However, php-fpm filled the log with:
[05-Feb-2016 10:57:05] NOTICE: Terminating ...
[05-Feb-2016 10:57:05] ALERT: oops, unknown child (16001) exited with code 0. Please open a bug report (https://bugs.php.net).
[05-Feb-2016 10:57:05] NOTICE: exiting, bye-bye!
[05-Feb-2016 10:57:05] NOTICE: fpm is running, pid 16137
[05-Feb-2016 10:57:05] NOTICE: ready to handle connections
[05-Feb-2016 10:57:05] NOTICE: systemd monitor interval set to 10000ms

When viewing the audit log, I noticed that PHP was trying to load the library (that the extension needed), from /root/:

type=AVC msg=audit(1454666387.325:13883): avc:  denied  { read } for  pid=16285 comm="php-fpm" name="libxl.so" dev="dm-0" ino=17751008 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Note the "admin_home_t" security context of the target.

I recompiled the extension, but this time I provided the absolute path to the library as /usr/lib64/libxl.so

Not a bug per sè, but it seems that php-fpm doesn't handles denial of access that SELinux causes. The log output doesn't tell anything about SELinux, only that the child terminated.


Expected result:
----------------
Library should be loaded from /usr/lib64/ in the first place.
Log should be more clear.

Actual result:
--------------
Library tried loaded from /root/.
Log not clear about this.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-04 17:53 UTC] bukka@php.net
-Package: FPM related +Package: Dynamic loading
 [2021-12-04 17:53 UTC] bukka@php.net 
This is not really FPM issue as it cannot handle this case. From the FPM point of view the child crashed which is probably because loading of extension failed. I think the actual library path is already configurable so this part seems to me more like configuration issue possibly but it still shouldn't probably crash. It would be useful to get the child backtrace and see if anything can be done during loading and possibly better error reported.
 
PHP Copyright © 2001-2023 The PHP Group
All rights reserved. 		Last updated: Wed Mar 29 12:03:44 2023 UTC