Comments (8)
Sorry - 5 years too late 😄
I hope the below helps others who stumble here. It's not so much that php-fpm doesn't have access, but that cachetool isn't running in the same domain as php-fpm. TLDR - you can compile and install an SELinux module to fix.
If you run cache tool from an unconfined domain (such as unconfined_t - which you are in when you SSH or run via Cron) - then when you run cache tool it will run in that domain. In this domain - the file that gets created in /dev/shm is created as user_tmp_t (even though parent is tmpfs_t - due to unconfined transition). PHP-FPM running as httpd_t can access that file because httpd_t domain can access user_tmp_t files. I think all processes can. So that interactions between your console and other domains work OK if they need to share temporary files.
However. If you run cache tool from some other context it might be confined. For example, cloud-init, is confined to the cloud_init_t domain, and is where I came across this. From this domain there is no transition from tmpfs_t to user_tmp_t so it remains as tmpfs_t.And thus, PHP-FPM running as httpd_t will be denied access as it cannot access tmpfs_t. You can see this in the audit logs (/var/log/audit/audit.log usually) by searching for denied
. Note the target context (tcontext
) is tmpfs_t.
type=AVC msg=audit(1607604349.443:185): avc: denied { getattr } for pid=1387 comm="php-fpm" path="/dev/shm/cachetool-5fd2187d6bec01.03634697.php" dev="tmpfs" ino=27254 scontext=system_u:system_r:httpd_t:s0 tcontex
t=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
Fix for this is a module like follows. Just substitute the domain with the domain you are calling from. You can get the domain from the above audit entry from the scontext
(source context).
policy_module(php-cachetool, 1.0.0);
require {
type cloud_init_t;
type httpd_t;
type httpd_exec_t;
}
domain_auto_trans(cloud_init_t, httpd_exec_t, httpd_t)
allow httpd_t cloud_init_t:process sigchld;
Save the above as module-name.te inside a folder called module-name.
You may need to install packages to bring in the tooling (on CentOS it's policycoreutils-python and selinux-policy-devel)
Then compile, and also change your cachetool script to be httpd_exec_t. So when it runs - cachetool runs as httpd_t, and the tmp file it creates will become httpd_tmpfs_t and can be accessed by PHP-FPM.
cd module-name
# Compile
make -f /usr/share/selinux/devel/Makefile module-name.pp
# Install
semodule -i module-name.pp
# Change cachetool context
chcon -t httpd_exec_t /opt/cachetool.phar
(You can add the cachetool label to a file module-name.fc
in the same place as the te
if you Google the format of that file and the module will include it as a permanent label. Or you can use semanage fcontext
to add it as a user configuration.)
from cachetool.
Permissions on the file are already set to 0666
, which should be readable to everyone. Which OS and version are you using?
from cachetool.
permissions aren't the only concern when using selinux, security contexts are.
I'm using fedora 21 with SELinux turned on, but i imagine this could also be replicated with Centos 7 or Fedora 20.
from cachetool.
I will have a look this weekend
On sex, 16/01/2015 at 00:22 Johnny Robeson [email protected] wrote:
permissions aren't the only concern when using selinux, security contexts
are.I'm using fedora 21 with SELinux turned on, but i imagine this could also
be replicated with Centos 7 or Fedora 20.—
Reply to this email directly or view it on GitHub
#9 (comment).
from cachetool.
Yeah, i guess without any custom configuration in selinux, this can't be avoided by cachetool.
from cachetool.
Closing this issue due to inactivity. Have you been able to make it work with SELinux?
from cachetool.
i've set SELinux to permissive for now, i haven't had had time to deal with it yet.
from cachetool.
Ler me know if you find a fix for it.
On seg, 2/02/2015 at 20:53 Johnny Robeson [email protected] wrote:
i've set SELinux to permissive for now, i haven't had had time to deal
with it yet.—
Reply to this email directly or view it on GitHub
#9 (comment).
from cachetool.
Related Issues (20)
- FastCGI.php line 114: Error: File not found. (when using configuration file) HOT 8
- Support for monolog/monolog ^3.0 HOT 1
- Exclude path not working with absolute path HOT 1
- PHP 8.2: ${var} string interpolation deprecated HOT 1
- apcu regex format validation HOT 1
- continuous updating message HOT 3
- Question: Can you install cachetool on 1 specific domain/subdomain instead of entire server HOT 2
- Question: About invalidation of specific scripts HOT 3
- Question: Getting weird errors HOT 2
- Heads up: This fails to work as of Rocky Linux 9.2 (In FastCGI.php line 114: Access Denied) HOT 22
- Invalid version string "@package_version@" with consolidation/self-update 2.2.0 HOT 5
- Tag 8.6.0 was removed, but still referenced in Packagist HOT 4
- opcache:reset FastCGI error: Unable to connect to FastCGI application: Permission denied (/run/php/php8.2-fpm.sock) HOT 1
- Question: Version compatibility HOT 1
- Not clearing cache after upgrading to php 8.1.13 + cachetool 9.1 HOT 7
- Apcu key fetch problem
- Add support for Symfony 7 HOT 4
- Question/request: Split cache library from CLI tool?
- It would be useful if output from opcache:status:scripts could be sorted by hits or memory HOT 1
- apcu get keys by regex HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cachetool.