View Issue Details

IDProjectCategoryView StatusLast Update
0010741CentOS-7selinux-policypublic2016-04-20 15:45
Reporteranvil 
PriorityhighSeverityminorReproducibilityalways
Status newResolutionopen 
PlatformOS33.10.0-327.13.1.el7.x86_64OS Version3.10
Product Version7.2.1511 
Target VersionFixed in Version 
Summary0010741: selinux policy prevents httpd from writing to /anon_hugepage (deleted) php7 uses hugh pages.
Descriptionusing php7 and get the following sealert with httpd trying to write to anon_hugepage. php7 now uses anon huge pages and SE Policy needs updated.


# php -v
PHP 7.0.5 (cli) (built: Mar 31 2016 16:39:12) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
Steps To Reproducesealert -a /var/log/audit/audit.log

also regarding php7 and huge pages- http://jpauli.github.io/2015/10/28/huge-page.html
Additional Informationsealert -a /var/log/audit/audit.log
 91% done'list' object has no attribute 'split'
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/httpd from write access on the file /anon_hugepage (deleted).

***** Plugin restorecon (99.5 confidence) suggests ************************

If you want to fix the label.
/anon_hugepage (deleted) default label should be etc_runtime_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /anon_hugepage (deleted)

***** Plugin catchall (1.49 confidence) suggests **************************

If you believe that httpd should be allowed write access on the anon_hugepage (deleted) file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:hugetlbfs_t:s0
Target Objects /anon_hugepage (deleted) [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <Unknown>
Source RPM Packages httpd-2.4.6-40.el7.centos.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name xxx
Platform Linux xxx 3.10.0-327.13.1.el7.x86_64
                              #1 SMP Thu Mar 31 16:04:38 UTC 2016 x86_64 x86_64
Alert Count 1
First Seen 2016-04-20 11:08:46 EDT
Last Seen 2016-04-20 11:08:46 EDT
Local ID 4cb3d1a6-223f-43cb-a6a4-27973cc76c70

Raw Audit Messages
type=AVC msg=audit(1461164926.310:333): avc: denied { write } for pid=1186 comm="httpd" path=2F616E6F6E5F6875676570616765202864656C6574656429 dev="hugetlbfs" ino=17520 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hugetlbfs_t:s0 tclass=file


type=SYSCALL msg=audit(1461164926.310:333): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=8# php -v
PHP 7.0.5 (cli) (built: Mar 31 2016 16:39:12) ( NTS )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.6-dev, Copyright (c) 1999-2016, by Zend Technologies
000000 a2=3 a3=40021 items=0 ppid=1 pid=1186 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,hugetlbfs_t,file,write
TagsNo tags attached.
abrt_hash
URL

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2016-04-20 15:45 anvil New Issue