Page 1 of 1

SELinux AVC errors in php-fpm (execmem)

Posted: 2020/04/21 21:47:46
by KernelOops
Hello everyone,

I have a strange problem that I can't figure out how to debug. Every time I start (or restart/reload) php-fpm, I get two AVC errors about execmem. These are typical and happen quite a lot when something (php-fpm in this case) tries to access or execute some file or socket.

While the quick solution is to allow execmem, this does not solve the real problem, what caused it in the first place. What file was php-fpm trying to access or execute?

These are the audit.log lines, but they are not very helpful to identify what php-fpm is trying to do:

Code: Select all

type=AVC msg=audit(1587505005.320:326): avc:  denied  { execmem } for  pid=2425 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1587505005.320:326): arch=c000003e syscall=9 success=no exit=-13 a0=55845b800000 a1=200000 a2=7 a3=40032 items=0 ppid=1 pid=2425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1587505005.320:326): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
type=AVC msg=audit(1587505005.321:327): avc:  denied  { execmem } for  pid=2425 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1587505005.321:327): arch=c000003e syscall=9 success=no exit=-13 a0=55845b800000 a1=200000 a2=7 a3=32 items=0 ppid=1 pid=2425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1587505005.321:327): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
Since I execute php-fpm as a user under /home/user/public_html/, maybe it has something to do with that user trying to access /var/log/php-fpm logs. I tried variations of the following options:

access.log = /home/user/tmp/$pool.access.log
slowlog = /home/user/tmp/slow.log
php_admin_value[error_log] = /home/user/tmp/error_log

but none of them made any difference, still php-fpm is trying to execmem something but I don't know what. I'd like to add that the website is running fine without errors and everything appears normal. The above errors only appear when php-fpm is started/loaded, no other time.

Anyone has any suggestions how to dig deeper?

Thank you.

Re: SELinux AVC errors in php-fpm (execmem)

Posted: 2020/04/22 14:17:15
by aks

Re: SELinux AVC errors in php-fpm (execmem)

Posted: 2020/04/22 14:25:48
by TrevorH

Code: Select all

# cat youravcs.txt | audit2allow -m t

module t 1.0;

require {
	type httpd_t;
	class process execmem;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;

Re: SELinux AVC errors in php-fpm (execmem)

Posted: 2020/04/22 18:52:33
by KernelOops
TrevorH, please read my description above, I mention that an easy way to avoid the error is to enable execmem, which is what you do with your allow module, but I mention that this is not the correct way because I won't know what is the actual cause (what specific file is php-fpm trying to access/execute).