View Issue Details

IDProjectCategoryView StatusLast Update
0008741CentOS-6selinux-policypublic2020-04-10 03:51
ReporterRenich 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version6.6 
Target VersionFixed in Version 
Summary0008741: SELinux is not allowing PHP-FPM's slowlog timeout capability
DescriptionIf you enable:

slowlog = /var/log/php-fpm/www-slow.log
request_slowlog_timeout = 5s

On /etc/php-fpm.d/www.conf, SELinux will start complaining:

ausearch -i -sv no -ts recent | grep ptrace
type=SYSCALL msg=audit(05/21/2015 21:37:21.028:14259) : arch=x86_64 syscall=ptrace success=no exit=-1(Operation not permitted) a0=PTRACE_ATTACH a1=0x33ea a2=0x0 a3=0x0 items=0 ppid=1 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=php-fpm exe=/usr/sbin/php-fpm subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(05/21/2015 21:37:21.028:14259) : avc: denied { sys_ptrace } for pid=1385 comm=php-fpm capability=sys_ptrace scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability
Steps To ReproduceAdd:

slowlog = /var/log/php-fpm/www-slow.log
request_slowlog_timeout = 5s

To /etc/php-fpm.d/www.conf and reload/restart the php-fpm service.
Tagsmodule, php, policy, selinux

Activities

cybernet2u

cybernet2u

2020-04-10 03:51

reporter   ~0036673

for those who still haven't figure it out

httpd_t domain must have sys_ptrace & ptrace capability

example here -> https://bitbucket.org/snippets/cybernet2u/knjpyA

Issue History

Date Modified Username Field Change
2015-05-21 21:39 Renich New Issue
2020-04-10 03:47 cybernet2u Tag Attached: selinux
2020-04-10 03:47 cybernet2u Tag Attached: php
2020-04-10 03:47 cybernet2u Tag Attached: policy
2020-04-10 03:47 cybernet2u Tag Attached: module
2020-04-10 03:51 cybernet2u Note Added: 0036673