Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 447326 - dev-lang/php-5.4.8[fpm] + sec-policy/selinux-phpfpm-2.20120725-r8: false error on startup
Summary: dev-lang/php-5.4.8[fpm] + sec-policy/selinux-phpfpm-2.20120725-r8: false erro...
Status: VERIFIED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: sec-policy r9
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-15 11:06 UTC by Vincent Brillault
Modified: 2013-01-19 21:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vincent Brillault 2012-12-15 11:06:42 UTC 
After upgrading php on my SELinux enabled server, the restart gave the following output:
---
 * Stopping PHP FastCGI Process Manager ...   [ ok ]
 * Starting PHP FastCGI Process Manager ...
[15-Dec-2012 11:27:53] ERROR: failed to read from pipe: Permission denied (13)
 * start-stop-daemon: failed to start `/usr/lib/php5.4/bin/php-fpm'   [ ok ]
---

Inside the phpfpm log, there is:
---
[15-Dec-2012 11:23:39] NOTICE: fpm is running, pid 28052
[15-Dec-2012 11:23:39] ERROR: failed to read from pipe: Permission denied (13)
[15-Dec-2012 11:23:39] NOTICE: ready to handle connections
---

In the avc log:
---
avc:  denied  { write } for  pid=27859 comm="php-fpm" path="pipe:[3360395]" dev="pipefs" ino=3360395 scontext=system_u:system_r:phpfpm_t tcontext=system_u:system_r:phpfpm_t tclass=fifo_file
avc:  denied  { read } for  pid=27858 comm="php-fpm" path="pipe:[3360395]" dev="pipefs" ino=3360395 scontext=system_u:system_r:phpfpm_t tcontext=system_u:system_r:phpfpm_t tclass=fifo_file
---

In fact the daemon is up and running. From the php source code (sapi/fpm/fpm/fpm_unix.c), I think that the error comes from the following code:
---
...
pid_t pid = fork();
switch (pid) {
  case -1 : /* error */
    zlog(ZLOG_SYSERROR, "failed to daemonize");
    return -1;

  case 0 : /* children */
    close(fpm_globals.send_config_pipe[0]); /*close the read side of the pipe*/
    break;

  default : /* parent */
    close(fpm_globals.send_config_pipe[1]); /*close the write side of the pipe*/
    [... (checks) ...]
    ret = read(fpm_globals.send_config_pipe[0], &readval, sizeof(readval));
    if (ret == -1) {
      zlog(ZLOG_SYSERROR, "failed to read from pipe");
      exit(FPM_EXIT_SOFTWARE);
    }

    if (ret == 0) {
      zlog(ZLOG_ERROR, "no data have been read from pipe");
      exit(FPM_EXIT_SOFTWARE);
    } else {
      if (readval == 1) {
        zlog(ZLOG_DEBUG, "I received a valid acknoledge from the master process, I can exit without error");
        fpm_cleanups_run(FPM_CLEANUP_PARENT_EXIT);
        exit(FPM_EXIT_OK);
      } else {
        zlog(ZLOG_DEBUG, "The master process returned an error !");
        exit(FPM_EXIT_SOFTWARE);
      }
    }
    exit(FPM_EXIT_SOFTWARE);
 ...
---

If I understand the code well, it's just a check on a fork. The parent is supposed to call exit in all the situations, thus it only changes the log, return code and a call to 'fpm_cleanups_run'.

I added the following rule:
allow phpfpm_t self:fifo_file rw_fifo_file_perms;

As a result, no more errors:
 * Stopping PHP FastCGI Process Manager ...  [ ok ]
 * Starting PHP FastCGI Process Manager ...  [ ok ]

phpfpm log:
[15-Dec-2012 12:04:45] NOTICE: fpm is running, pid 30443
[15-Dec-2012 12:04:45] NOTICE: ready to handle connections
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-15 11:39:50 UTC 
Thanks; fixed in repo, will be in r9
Comment 2 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-17 18:55:05 UTC 
r9 in hardened-dev overlay
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-21 20:52:18 UTC 
r9 in main repo, ~arch'ed
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2013-01-19 21:16:26 UTC 
Forgot to mention... stabilized a while ago ;)