SELinux AVC errors in php-fpm (execmem)

Support for security such as Firewalls and securing linux
Post Reply
User avatar
KernelOops
Posts: 349
Joined: 2013/12/18 15:04:03
Location: xfs file system

SELinux AVC errors in php-fpm (execmem)

Post by KernelOops » 2020/04/21 21:47:46

Hello everyone,

I have a strange problem that I can't figure out how to debug. Every time I start (or restart/reload) php-fpm, I get two AVC errors about execmem. These are typical and happen quite a lot when something (php-fpm in this case) tries to access or execute some file or socket.

While the quick solution is to allow execmem, this does not solve the real problem, what caused it in the first place. What file was php-fpm trying to access or execute?

These are the audit.log lines, but they are not very helpful to identify what php-fpm is trying to do:

Code: Select all

type=AVC msg=audit(1587505005.320:326): avc:  denied  { execmem } for  pid=2425 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1587505005.320:326): arch=c000003e syscall=9 success=no exit=-13 a0=55845b800000 a1=200000 a2=7 a3=40032 items=0 ppid=1 pid=2425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1587505005.320:326): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
type=AVC msg=audit(1587505005.321:327): avc:  denied  { execmem } for  pid=2425 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process permissive=0
type=SYSCALL msg=audit(1587505005.321:327): arch=c000003e syscall=9 success=no exit=-13 a0=55845b800000 a1=200000 a2=7 a3=32 items=0 ppid=1 pid=2425 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=mmap AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1587505005.321:327): proctitle=2F7573722F7362696E2F7068702D66706D002D2D6E6F6461656D6F6E697A65
Since I execute php-fpm as a user under /home/user/public_html/, maybe it has something to do with that user trying to access /var/log/php-fpm logs. I tried variations of the following options:

access.log = /home/user/tmp/$pool.access.log
slowlog = /home/user/tmp/slow.log
php_admin_value[error_log] = /home/user/tmp/error_log

but none of them made any difference, still php-fpm is trying to execmem something but I don't know what. I'd like to add that the website is running fine without errors and everything appears normal. The above errors only appear when php-fpm is started/loaded, no other time.

Anyone has any suggestions how to dig deeper?

Thank you.
--
I love my computer - all my friends live there.
--

aks
Posts: 3033
Joined: 2014/09/20 11:22:14

Re: SELinux AVC errors in php-fpm (execmem)

Post by aks » 2020/04/22 14:17:15


User avatar
TrevorH
Forum Moderator
Posts: 29722
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: SELinux AVC errors in php-fpm (execmem)

Post by TrevorH » 2020/04/22 14:25:48

Code: Select all

# cat youravcs.txt | audit2allow -m t

module t 1.0;

require {
	type httpd_t;
	class process execmem;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_execmem'
allow httpd_t self:process execmem;
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

User avatar
KernelOops
Posts: 349
Joined: 2013/12/18 15:04:03
Location: xfs file system

Re: SELinux AVC errors in php-fpm (execmem)

Post by KernelOops » 2020/04/22 18:52:33

TrevorH, please read my description above, I mention that an easy way to avoid the error is to enable execmem, which is what you do with your allow module, but I mention that this is not the correct way because I won't know what is the actual cause (what specific file is php-fpm trying to access/execute).
--
I love my computer - all my friends live there.
--

Post Reply

Return to “CentOS 8 - Security Support”