Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-153779

[rhel-10] PHP-FPM slow log doesn't work with SELinux

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • None
    • Moderate
    • rhel-security-selinux
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • All
    • None

      What were you trying to do that didn't work?

      PHP-FPM slow logs doesn't work when SELinux is enabled.

      What is the impact of this issue to you?

      No logs of slow pages.

      Please provide the package NVR for which the bug is seen:

      All releases of php-fpm

      How reproducible is this bug?:

      Always.

      Steps to reproduce

      1. Configure PHP-FPM, and enable the `request_slowlog_timeout = 5` value in `/etc/php-fpm.d/www.conf`;
      2. Create a PHP file in `/var/www/html/test.php` with the following content:
      <?php
echo "Hello\n";
flush();
sleep(10);
echo "Done waiting!";
?>
      1. Configure NGiNX to access the PHP FastCGI server:
              location / {
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
            fastcgi_index  index.php;
            fastcgi_pass unix:/run/php-fpm/www.sock;
        }
      1. Access `http://127.0.0.1/test.php`:
      $ curl http://127.0.0.1/test.php
Hello
Done waiting!
      1. Check PHP FPM logs:
      $ ls -la /var/log/php-fpm/
total 8
drwxrwx---.  2 apache root   43 Mar  5 15:11 .
drwxr-xr-x. 13 root   root 4096 Mar  5 14:49 ..
-rw-------.  1 root   root  728 Mar  5 15:11 error.log
-rw-------.  1 root   root    0 Mar  5 15:11 www-slow.log

      Note that `www-slow.log` has no content, 0 bytes!
      Checking AVCs, we see nothing at all

      Expected results

      Get log content in `/var/log/php-fpm/www-slow.log`.

      Actual results

      Log file is created, but no content is displayed.

      Checking policies, we can see there is no allow rule present, but an inconditional dontaudit rule:

      # sesearch --dontaudit -s httpd_t -c capability -p sys_ptrace
dontaudit httpd_t httpd_t:capability { dac_read_search net_admin sys_module sys_ptrace sys_resource sys_tty_config };

      We need an allow rule to be added, probably conditionally based on a boolean (see below in further analysis).

      Analysis

      See main JIRA RHEL-153753.
      The operation is legit and needs to be authorized in the SELinux policy, but probably as a new boolean such as `httpd_allow_ptrace` to avoid having the rule be unconditionally enabled.

       

              rhn-support-zpytela Zdenek Pytela
              rhn-support-eazevedo Ernani Azevedo
              Zdenek Pytela Zdenek Pytela
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: