Wednesday, November 19, 2014

SELinux on CentOS6

24 August 2013
On a system with SELinux enabled (Enforced mode), you might encounter security issues when using PHP Sessions with the default PHP-COMMON and PHP-FPM configurations. By default, sessions will be stored in /var/lib/php/sessions.
If SELinux denies writing in the sessions directory, error messages should be displayed in the /var/log/security file.
The setting is stored in two files: /etc/php.ini
session.save_path = "/var/lib/php/session"
and /etc/php-fpm.d/www.conf (or so)
php_value[session.save_path] = /tmp/php-fpm-sessions
If you think it is a good idea to store sessions in this directory, you might have to create an SELinux policy to allow the user running your PHP code (httpd or apache for most setups).
The audit2allow utility will ease your task but you might have to install it.
$ sudo yum install policycoreutils-python
For those you wonder how to find package containing a command or utility on YUM based distribution, here you go...
$ sudo yum provides "*/audit2allow"
Now that the tool is installed, you can run the following command as root:
# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypo.pp

No comments:

Post a Comment