24 August 2013

On a system with SELinux enabled (Enforced mode), you might encounter security issues when using PHP Sessions with the default PHP-COMMON and PHP-FPM configurations. By default, sessions will be stored in /var/lib/php/sessions.

If SELinux denies writing in the sessions directory, error messages should be displayed in the /var/log/security file.

The setting is stored in two files: /etc/php.ini

session.save_path = "/var/lib/php/session"

and /etc/php-fpm.d/www.conf (or so)

php_value[session.save_path] = /tmp/php-fpm-sessions

If you think it is a good idea to store sessions in this directory, you might have to create an SELinux policy to allow the user running your PHP code (httpd or apache for most setups).

The audit2allow utility will ease your task but you might have to install it.

$ sudo yum install policycoreutils-python

For those you wonder how to find package containing a command or utility on YUM based distribution, here you go…

$ sudo yum provides "*/audit2allow"

Now that the tool is installed, you can run the following command as root:

# grep php-fpm /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol

Look at this article for more information on this topic.

blog comments powered by Disqus