Articles in this section

See more

SELinux is preventing php-fpm from using the block_suspend capability

Avatar
Denis Bykov
Updated
Follow

Applicable to:

  • Plesk for Linux

Symptoms

The following error is found in /var/log/messages :

CONFIG_TEXT: setroubleshoot: SELinux is preventing php-fpm from using the block_suspend capability. For complete SELinux messages run: sealert -l 0818edec-e276-414a-aa2b-29264e537dd5
python: SELinux is preventing php-fpm from using the block_suspend capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that php-fpm should have the block_suspend capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012

/var/log/audit/audit.log contains the following errors:

CONFIG_TEXT: type=AVC msg=audit(1507135047.192:8111): avc: denied
{ block_suspend } for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8112): avc: denied { block_suspend }
for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8113): avc: denied
{ block_suspend }
for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capabilit

SELinux context on /usr/sbin/php-fpm file is:

CONFIG_TEXT: system_u:object_r:httpd_exec_t:s0 /usr/sbin/php-fpm

Cause

New SELinux system policy was installed, bringing new contexts for system php-fpm (PHP by OS vendor).
"block_suspend" is the ability to prevent system suspends (see Object Classes and Permissions ). Such messages cannot negatively impact a server that is up constantly anyway.

Resolution

  1. Connect to the server via SSH .

  2. Make sure that tools required to built modules are installed:

    # yum install checkpolicy policycoreutils policycoreutils-python

  3. Create php-fpm-allow-block-suspend.te file with the following content:

    CONFIG_TEXT: #================================

    module php-fpm-allow-block-suspend 1.0.0;

    require {
    type httpd_t;
    class capability2 block_suspend;
    }

    #============= httpd_t ==============

    allow httpd_t self:capability2 block_suspend;

  4. Compile and install SELinux policy module:

    # checkmodule -M -m -o php-fpm-allow-block-suspend.mod php-fpm-allow-block-suspend.te
    # semodule_package -o php-fpm-allow-block-suspend.pp -m php-fpm-allow-block-suspend.mod
    # semodule -i php-fpm-allow-block-suspend.pp

Additional Information

PHP-FPM daemon set as an unconfined service in Plesk SELinux policies

Comments

5 comments

Sort by Date Votes
  • Avatar
    Jesús Franco

    This is the kind of careless advice on "security" by plesk that's making me more and more unwilling user of it, every week I find myself writing a systemd path unit, service or like in this case, a custom policy to patch the misguided configuration imposed for your products.

    Rather than making php-fpm daemon an unconfined service through the type bin_t, it should be kept in httpd_t domain. Making this way the PHP daemon an unconfined service bypasses the policies and type enforcement, thus turning it into an insecure service despite the fact having SELinux enabled.

    Instead, a custom policy module should be compiled to give httpd_t just the capability required:

    #================================

    module php-fpm-allow-block-suspend 1.0.0;

    require {
            type httpd_t;
            class capability2 block_suspend;
    }

    #============= httpd_t ==============
    allow httpd_t self:capability2 block_suspend;

     

    1
    Permalink
  • Avatar
    Robert Asilbekov (Edited )

    @Jesús Thank you for the feedback, I have updated the article according to your recommendations. I would like to draw your attention to the fact that "/usr/sbin/php-fpm" is shipped by OS vendor, so to fix the issue completely it would be great if you could report the issue to RedHat/CentOS support.

    0
    Permalink
  • Avatar
    Jesús Franco (Edited )

    That's true, however the php binaries under /opt/plesk are provided for you. And the RPMs tag them as bin_t making it unconfined services then introducing lot of vulnerabilities even with SELinux enabled.

    A fix with semanage fcontext is still missing from this article.

    You could use the tip I'm giving in my following tweet:

    https://twitter.com/jefrancomix/status/925388504821006336

    0
    Permalink
  • Avatar
    Denis Bykov

    @Jesús Thank you for pointing this out.

    I created a request to Plesk developers based on the provided suggestions. We will update you with results.

    0
    Permalink
  • Avatar
    Denis Bykov

    @Jesús Developers confirmed the bug, and I created an article regarding this issue: PHP-FPM daemon set as an unconfined service in Plesk SELinux policies

    0
    Permalink

Please sign in to leave a comment.

Have more questions? Submit a request

Related articles