I am running Wordpress in Rocky Linux 9 and need optipng
for some image transformation tasks, but it is being blocked:
SELinux is preventing /usr/sbin/php-fpm from execute access on the file optipng.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that php-fpm should be allowed execute access on the optipng file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
Correct me if I am wrong, but I want to avoid doing something like setsebool -P httpd_unified 1
because my understanding is that it will grant pretty broad permissions and will let php-fpm
execute any file labeled with httpd_sys_rw_content_t
.
Also, when I run ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
it creates a policy that would have the same broad effect:
module my-phpfpm 1.0;
require {
type httpd_sys_rw_content_t;
type httpd_t;
class file execute;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_rw_content_t:file execute;
This brings me to my question: how can I safely and securely let php-fpm
execute /usr/bin/optipng
?
Maybe the best way is to just do setsebool -P httpd_unified 1
, or maybe I need to create a new type for optipng
, like semanage fcontext -a -t my_optipng_exec_t '/usr/bin/optipng'
and allow php-fpm
to execute that specific type with a custom policy. I tried this but I can't get it to work.
Please let me know your suggestions.
Thank you.
ls -laZ /usr/bin/optipng
to your question please? And same for the related lines if you dotail -f -n 5 /var/log/audit/audit.log | grep avc
then run your code again?