Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 441612

Summary: sec-policy/selinux-nginx & sec-policy/selinux-phpfpm (2.20120725-r6) missing phpfpm_stream_connect(nginx_t)
Product: Gentoo Linux Reporter: Vincent Brillault <gentoo>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r7
Package list:
Runtime testing required: ---

Description Vincent Brillault 2012-11-03 20:33:22 UTC
nginx doesn't have the right to connect to phpfpm through its unix socket.

I think that an optional_policy should be added, containing 'phpfpm_stream_connect(nginx_t)'

avc example:
 avc:  denied  { write } for  pid=26089 comm="nginx" name="php-fpm.sock" dev="sda1" ino=537642 scontext=system_u:system_r:nginx_t tcontext=system_u:object_r:phpfpm_var_run_t tclass=sock_file
Comment 1 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-07 19:51:51 UTC
Is this sufficient (i.e. have you tested adding this)?
Comment 2 Vincent Brillault 2012-11-07 20:10:09 UTC
Yes, it is, at least on my server.

I resolved the denies and the corresponding nginx error ('502 Bad Gateway' in the client and '[crit] 2017#0: *1230 connect() to unix:/var/run/php5-fpm/php-fpm.sock failed (13: Permission denied) while connecting to upstream' in the nginx logs) by adding this rule, 'phpfpm_stream_connect(nginx_t)', to my policies.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-07 20:18:24 UTC
Great, thanks. Added in our repo, will also be part of r7
Comment 4 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-14 21:11:04 UTC
r7 is now in hardened-dev
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2012-11-18 15:25:34 UTC
In main tree, ~arch'ed
Comment 6 Sven Vermeulen (RETIRED) gentoo-dev 2012-12-13 10:14:15 UTC
r8 is now stable