SELinux is preventing php-fpm from using the block_suspend capability

Follow

Comments

5 comments

  • Avatar
    Jesús Franco

    This is the kind of careless advice on "security" by plesk that's making me more and more unwilling user of it, every week I find myself writing a systemd path unit, service or like in this case, a custom policy to patch the misguided configuration imposed for your products.

    Rather than making php-fpm daemon an unconfined service through the type bin_t, it should be kept in httpd_t domain. Making this way the PHP daemon an unconfined service bypasses the policies and type enforcement, thus turning it into an insecure service despite the fact having SELinux enabled.

    Instead, a custom policy module should be compiled to give httpd_t just the capability required:

    #================================

    module php-fpm-allow-block-suspend 1.0.0;

    require {
            type httpd_t;
            class capability2 block_suspend;
    }

    #============= httpd_t ==============
    allow httpd_t self:capability2 block_suspend;

     

  • Avatar
    Robert Asilbekov (Edited )

    @Jesús Thank you for the feedback, I have updated the article according to your recommendations. I would like to draw your attention to the fact that "/usr/sbin/php-fpm" is shipped by OS vendor, so to fix the issue completely it would be great if you could report the issue to RedHat/CentOS support.

  • Avatar
    Jesús Franco (Edited )

    That's true, however the php binaries under /opt/plesk are provided for you. And the RPMs tag them as bin_t making it unconfined services then introducing lot of vulnerabilities even with SELinux enabled.

    A fix with semanage fcontext is still missing from this article.

    You could use the tip I'm giving in my following tweet:

    https://twitter.com/jefrancomix/status/925388504821006336

  • Avatar
    Denis Bykov

    @Jesús Thank you for pointing this out.

    I created a request to Plesk developers based on the provided suggestions. We will update you with results.

  • Avatar
    Denis Bykov

    @Jesús Developers confirmed the bug, and I created an article regarding this issue: PHP-FPM daemon set as an unconfined service in Plesk SELinux policies

Please sign in to leave a comment.

Have more questions? Submit a request