Applicable to:
- Plesk for Linux
Symptoms
The following error is found in
/var/log/messages
:
CONFIG_TEXT: setroubleshoot: SELinux is preventing php-fpm from using the block_suspend capability. For complete SELinux messages run: sealert -l 0818edec-e276-414a-aa2b-29264e537dd5
python: SELinux is preventing php-fpm from using the block_suspend capability.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that php-fpm should have the block_suspend capability by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm#012# semodule -i my-phpfpm.pp#012
/var/log/audit/audit.log
contains the following errors:
CONFIG_TEXT: type=AVC msg=audit(1507135047.192:8111): avc: denied
{ block_suspend } for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8112): avc: denied { block_suspend }
for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability2
type=AVC msg=audit(1507135065.209:8113): avc: denied
{ block_suspend }
for pid=1125 comm="php-fpm" capability=36 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capabilit
SELinux context on /usr/sbin/php-fpm file is:
CONFIG_TEXT: system_u:object_r:httpd_exec_t:s0 /usr/sbin/php-fpm
Cause
New SELinux system policy was installed, bringing new contexts for system php-fpm (PHP by OS vendor).
"block_suspend" is the ability to prevent system suspends (see
Object Classes and Permissions
). Such messages cannot negatively impact a server that is up constantly anyway.
Resolution
-
Connect to the server via SSH .
-
Make sure that tools required to built modules are installed:
# yum install checkpolicy policycoreutils policycoreutils-python
-
Create
php-fpm-allow-block-suspend.te
file with the following content:CONFIG_TEXT: #================================
module php-fpm-allow-block-suspend 1.0.0;
require {
type httpd_t;
class capability2 block_suspend;
}
#============= httpd_t ==============
allow httpd_t self:capability2 block_suspend; -
Compile and install SELinux policy module:
# checkmodule -M -m -o php-fpm-allow-block-suspend.mod php-fpm-allow-block-suspend.te
# semodule_package -o php-fpm-allow-block-suspend.pp -m php-fpm-allow-block-suspend.mod
# semodule -i php-fpm-allow-block-suspend.pp
Additional Information
PHP-FPM daemon set as an unconfined service in Plesk SELinux policies
Comments
5 comments
This is the kind of careless advice on "security" by plesk that's making me more and more unwilling user of it, every week I find myself writing a systemd path unit, service or like in this case, a custom policy to patch the misguided configuration imposed for your products.
Rather than making php-fpm daemon an unconfined service through the type bin_t, it should be kept in httpd_t domain. Making this way the PHP daemon an unconfined service bypasses the policies and type enforcement, thus turning it into an insecure service despite the fact having SELinux enabled.
Instead, a custom policy module should be compiled to give httpd_t just the capability required:
#================================
module php-fpm-allow-block-suspend 1.0.0;
require {
type httpd_t;
class capability2 block_suspend;
}
#============= httpd_t ==============
allow httpd_t self:capability2 block_suspend;
@Jesús Thank you for the feedback, I have updated the article according to your recommendations. I would like to draw your attention to the fact that "/usr/sbin/php-fpm" is shipped by OS vendor, so to fix the issue completely it would be great if you could report the issue to RedHat/CentOS support.
That's true, however the php binaries under /opt/plesk are provided for you. And the RPMs tag them as bin_t making it unconfined services then introducing lot of vulnerabilities even with SELinux enabled.
A fix with semanage fcontext is still missing from this article.
You could use the tip I'm giving in my following tweet:
https://twitter.com/jefrancomix/status/925388504821006336
@Jesús Thank you for pointing this out.
I created a request to Plesk developers based on the provided suggestions. We will update you with results.
@Jesús Developers confirmed the bug, and I created an article regarding this issue: PHP-FPM daemon set as an unconfined service in Plesk SELinux policies
Please sign in to leave a comment.