View Issue Details

IDProjectCategoryView StatusLast Update
0018333CentOS-7selinux-policypublic2021-10-21 08:39
ReporterJeswin Joseph Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionno change required 
OS Version7 
Summary0018333: SELinux is preventing php-fpm from 'name_connect' accesses on the tcp_socket port 21.
DescriptionDescription of problem:
i just tried to install the fogproject deployment derver

enabled selinux as per the installtion manuall and followed
 
yum install firewalld -y
systemctl start firewalld
systemctl enable firewalld
for service in http https tftp ftp mysql nfs mountd rpc-bind proxy-dhcp samba; do firewall-cmd --permanent --zone=public --add-service=$service;
done

echo "Open UDP port 49152 through 65532, the possible used ports for fog multicast"
firewall-cmd --permanent --add-port=49152-65532/udp
echo "Allow IGMP traffic for multicast"
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p igmp -j ACCEPT
systemctl restart firewalld.service
echo "Done."


    Add firewalld exceptions for DHCP and DNS (if you plan to run DHCP on your FOG server):

for service in dhcp dns; do firewall-cmd --permanent --zone=public --add-service=$service; done
firewall-cmd --reload
echo Additional firewalld config done.


    Set SELinux to permissive on boot:

sed -i.bak 's/^.*\SELINUX=enforcing\b.*$/SELINUX=permissive/' /etc/selinux/config


    Set SELinux to permissive on the fly (this is not persistent, the above config must be done to be persistent):

setenforce 0
SELinux is preventing php-fpm from 'name_connect' accesses on the tcp_socket port 21.

***** Plugin catchall_boolean (24.7 confidence) suggests ******************

If you want to allow httpd to can network connect
Then you must tell SELinux about this by enabling the 'httpd_can_network_connect' boolean.

Do
setsebool -P httpd_can_network_connect 1

***** Plugin catchall_boolean (24.7 confidence) suggests ******************

If you want to allow httpd to can network relay
Then you must tell SELinux about this by enabling the 'httpd_can_network_relay' boolean.

Do
setsebool -P httpd_can_network_relay 1

***** Plugin catchall_boolean (24.7 confidence) suggests ******************

If you want to allow httpd to can connect ftp
Then you must tell SELinux about this by enabling the 'httpd_can_connect_ftp' boolean.

Do
setsebool -P httpd_can_connect_ftp 1

***** Plugin catchall_boolean (24.7 confidence) suggests ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

***** Plugin catchall (3.53 confidence) suggests **************************

If you believe that php-fpm should be allowed name_connect access on the port 21 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -i my-phpfpm.pp

Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:ftp_port_t:s0
Target Objects port 21 [ tcp_socket ]
Source php-fpm
Source Path php-fpm
Port 21
Host (removed)
Source RPM Packages php-fpm-7.2.34-9.el7.remi.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-268.el7_9.2.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name (removed)
Platform Linux (removed) 3.10.0-1160.45.1.el7.x86_64 #1 SMP
                              Wed Oct 13 17:20:51 UTC 2021 x86_64 x86_64
Alert Count 3
First Seen 2021-10-21 11:52:20 IST
Last Seen 2021-10-21 12:04:59 IST
Local ID e66ff689-aee5-431b-a82b-588a5ed3bd6f

Raw Audit Messages
type=AVC msg=audit(1634798099.776:218): avc: denied { name_connect } for pid=2319 comm="php-fpm" dest=21 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ftp_port_t:s0 tclass=tcp_socket permissive=1


type=SYSCALL msg=audit(1634798099.776:218): arch=x86_64 syscall=connect success=no exit=EINPROGRESS a0=6 a1=7f8d37a6cbd0 a2=10 a3=61710a13 items=0 ppid=2111 pid=2319 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: php-fpm,httpd_t,ftp_port_t,tcp_socket,name_connect

Version-Release number of selected component:
selinux-policy-3.13.1-268.el7_9.2.noarch
Additional Informationreporter: libreport-2.1.11.1
hashmarkername: setroubleshoot
kernel: 3.10.0-1160.45.1.el7.x86_64
reproducible: Not sure how to reproduce the problem
type: libreport
TagsNo tags attached.
abrt_hasheb8ce0e584ddbc276485b73bc10a7d7281553a6051e7f08d6fa060e1405ec126
URL

Activities

ManuelWolfshant

ManuelWolfshant

2021-10-21 08:39

manager   ~0038674

This is a configuration issue on your system, not a bug in CentOS. Please read the selinux documentation and implement the required changes ( especially as most of them are already included in the very message that you have pasted in the bug report ). You can also seek help in any of our recommended avenues ( fora, mailing list, IRC channel on libera.chat ).

Issue History

Date Modified Username Field Change
2021-10-21 06:42 Jeswin Joseph New Issue
2021-10-21 08:39 ManuelWolfshant Status new => closed
2021-10-21 08:39 ManuelWolfshant Resolution open => no change required
2021-10-21 08:39 ManuelWolfshant Note Added: 0038674