-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
rhel-8.10.z
-
None
-
Important
-
rhel-security-selinux
-
None
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
All
-
None
What were you trying to do that didn't work?
PHP-FPM slow logs doesn't work when SELinux is enabled.
What is the impact of this issue to you?
No logs of slow pages.
Please provide the package NVR for which the bug is seen:
All releases of php-fpm, including:
- php-fpm-7.2.24-1.module+el8.2.0+4601+7c76a223
- php-fpm-8.2.30-1.module+el8.10.0+23848+33d54484
How reproducible is this bug?:
Always.
Steps to reproduce
- Configure PHP-FPM, and enable the `request_slowlog_timeout = 5` value in `/etc/php-fpm.d/www.conf`;
- Create a PHP file in `/var/www/html/test.php` with the following content:
<?php echo "Hello\n"; flush(); sleep(10); echo "Done waiting!"; ?>
- Configure NGiNX to access the PHP FastCGI server:
location / {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_index index.php;
fastcgi_pass unix:/run/php-fpm/www.sock;
}
- Access `http://127.0.0.1/test.php`:
$ curl http://127.0.0.1/test.php
Hello
Done waiting!
- Check PHP FPM logs:
$ ls -la /var/log/php-fpm/
total 8
drwxrwx---. 2 apache root 43 Mar 5 15:11 .
drwxr-xr-x. 13 root root 4096 Mar 5 14:49 ..
-rw-------. 1 root root 728 Mar 5 15:11 error.log
-rw-------. 1 root root 0 Mar 5 15:11 www-slow.log
Note that `www-slow.log` has no content, 0 bytes!
- Checking `audit.log`, we can find:
type=AVC msg=audit(1772734296.990:1384): avc: denied { sys_ptrace } for pid=125310 comm="php-fpm" capability=19 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=0
type=SYSCALL msg=audit(1772734296.990:1384): arch=c000003e syscall=101 success=no exit=-1 a0=10 a1=1e982 a2=0 a3=0 items=0 ppid=1 pid=125310 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=ptrace AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1772734296.990:1384): proctitle=7068702D66706D3A206D61737465722070726F6365737320282F6574632F7068702D66706D2E636F6E6629
Expected results
Get log content in `/var/log/php-fpm/www-slow.log`.
Actual results
Log file is created, but no content is displayed.
Checking policies, we can see there is no allow rule present, but a conditional dontaudit rule:
# sesearch -A -s httpd_t -c capability -p sys_ptrace --> nothing # sesearch --dontaudit -s httpd_t -c capability -p sys_ptrace dontaudit httpd_t httpd_t:capability sys_ptrace; [ httpd_run_stickshift ]:True
We need an allow rule to be added, probably conditionally based on a boolean (see below in further analysis).
Analysis
`php-fpm` runs in the same context as httpd: `httpd_t`
When enabling `request_slowlog_timeout`, the `fpm_trace_signal()` function fires on timeout, which internally tries to `ptrace` the PHP script:
(gdb) bt #0 ptrace (request=request@entry=PTRACE_ATTACH) at ../sysdeps/unix/sysv/linux/ptrace.c:45 #1 0x00005591b2058f59 in fpm_trace_signal (pid=2061) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_trace_ptrace.c:29 #2 0x00005591b204f1cb in fpm_request_check_timed_out (child=child@entry=0x5591b422d6b0, now=now@entry=0x7ffc861cc160, terminate_timeout=terminate_timeout@entry=0, slowlog_timeout=slowlog_timeout@entry=5, track_finished=track_finished@entry=0) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_request.c:259 #3 0x00005591b204de3c in fpm_pctl_check_request_timeout (now=0x7ffc861cc160) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_process_ctl.c:309 #4 fpm_pctl_heartbeat (ev=<optimized out>, which=<optimized out>, arg=<optimized out>) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_process_ctl.c:470 #5 0x00005591b2049f23 in fpm_event_fire (ev=0x5591b248e080 <heartbeat>) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_events.c:487 #6 fpm_event_loop (err=err@entry=0) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_events.c:467 #7 0x00005591b2043a27 in fpm_run (max_requests=0x7ffc861cc36c) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm.c:113 #8 0x00005591b1d92a76 in main (argc=2, argv=0x7ffc861cc968) at /usr/src/debug/php-8.2.30-1.module+el8.10.0+23848+33d54484.x86_64/sapi/fpm/fpm/fpm_main.c:1847
Source code:
27 int fpm_trace_signal(pid_t pid) /* {{{ */ 28 { 29 if (0 > ptrace(PTRACE_ATTACH, pid, 0, 0)) { 30 zlog(ZLOG_SYSERROR, "failed to ptrace(ATTACH) child %d", pid); 31 return -1; 32 } 33 return 0; 34 }
The operation is hence legit and needs to be authorized in the SELinux policy, but probably as a new boolean such as `httpd_allow_ptrace` to avoid having the rule be unconditionally enabled.
- is cloned by
-
-
- New
-
-
-
- New
-
