New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cachetool doesn't work out of the box with SELinux #9
Comments
Permissions on the file are already set to |
permissions aren't the only concern when using selinux, security contexts are. I'm using fedora 21 with SELinux turned on, but i imagine this could also be replicated with Centos 7 or Fedora 20. |
I will have a look this weekend
|
Yeah, i guess without any custom configuration in selinux, this can't be avoided by cachetool. |
Closing this issue due to inactivity. Have you been able to make it work with SELinux? |
i've set SELinux to permissive for now, i haven't had had time to deal with it yet. |
Ler me know if you find a fix for it.
|
Sorry - 5 years too late 😄 I hope the below helps others who stumble here. It's not so much that php-fpm doesn't have access, but that cachetool isn't running in the same domain as php-fpm. TLDR - you can compile and install an SELinux module to fix. If you run cache tool from an unconfined domain (such as unconfined_t - which you are in when you SSH or run via Cron) - then when you run cache tool it will run in that domain. In this domain - the file that gets created in /dev/shm is created as user_tmp_t (even though parent is tmpfs_t - due to unconfined transition). PHP-FPM running as httpd_t can access that file because httpd_t domain can access user_tmp_t files. I think all processes can. So that interactions between your console and other domains work OK if they need to share temporary files. However. If you run cache tool from some other context it might be confined. For example, cloud-init, is confined to the cloud_init_t domain, and is where I came across this. From this domain there is no transition from tmpfs_t to user_tmp_t so it remains as tmpfs_t.And thus, PHP-FPM running as httpd_t will be denied access as it cannot access tmpfs_t. You can see this in the audit logs (/var/log/audit/audit.log usually) by searching for
Fix for this is a module like follows. Just substitute the domain with the domain you are calling from. You can get the domain from the above audit entry from the
Save the above as module-name.te inside a folder called module-name.
(You can add the cachetool label to a file |
You get a 404 on the fastgi response because it doesn't have the permission to read the cachetool generated file.
I'm not sure if this is really solvable without changing selinux configuration, but i do wonder if the stdin option of the fastcgi client would fix it.
Can you think of a quick hack to try that out?
The text was updated successfully, but these errors were encountered: