php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #71532 Child terminates when SELinux denies access to library
Submitted: 2016-02-05 10:17 UTC Modified: 2023-11-16 10:49 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:-1 (-100.0%)
From: david at davidsteinsland dot net Assigned:
Status: Open Package: FPM related
PHP Version: 5.6.18 OS: CentOS 7 64-bit
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
45 + 4 = ?
Subscribe to this entry?

 
 [2016-02-05 10:17 UTC] david at davidsteinsland dot net 
Description:
------------
When I was setting up a PHP extension I compiled it by providing an absolute path to the library it needed. After installing, I copied the library to /usr/lib64.

The directory in which I compiled the extension, was /root/.
All seemed fine, running php -m showed the extension loaded.

However, php-fpm filled the log with:
[05-Feb-2016 10:57:05] NOTICE: Terminating ...
[05-Feb-2016 10:57:05] ALERT: oops, unknown child (16001) exited with code 0. Please open a bug report (https://bugs.php.net).
[05-Feb-2016 10:57:05] NOTICE: exiting, bye-bye!
[05-Feb-2016 10:57:05] NOTICE: fpm is running, pid 16137
[05-Feb-2016 10:57:05] NOTICE: ready to handle connections
[05-Feb-2016 10:57:05] NOTICE: systemd monitor interval set to 10000ms

When viewing the audit log, I noticed that PHP was trying to load the library (that the extension needed), from /root/:

type=AVC msg=audit(1454666387.325:13883): avc:  denied  { read } for  pid=16285 comm="php-fpm" name="libxl.so" dev="dm-0" ino=17751008 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file

Note the "admin_home_t" security context of the target.

I recompiled the extension, but this time I provided the absolute path to the library as /usr/lib64/libxl.so

Not a bug per sè, but it seems that php-fpm doesn't handles denial of access that SELinux causes. The log output doesn't tell anything about SELinux, only that the child terminated.


Expected result:
----------------
Library should be loaded from /usr/lib64/ in the first place.
Log should be more clear.

Actual result:
--------------
Library tried loaded from /root/.
Log not clear about this.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-04 17:53 UTC] bukka@php.net
-Package: FPM related +Package: Dynamic loading
 [2021-12-04 17:53 UTC] bukka@php.net 
This is not really FPM issue as it cannot handle this case. From the FPM point of view the child crashed which is probably because loading of extension failed. I think the actual library path is already configurable so this part seems to me more like configuration issue possibly but it still shouldn't probably crash. It would be useful to get the child backtrace and see if anything can be done during loading and possibly better error reported.
 [2023-11-16 10:49 UTC] bukka@php.net
-Package: Dynamic loading +Package: FPM related
 [2023-11-16 10:49 UTC] bukka@php.net 
I will set this back to FPM related in case there's anything we can do in terms of better reporting.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 18 03:01:28 2024 UTC