zishuo/frankenphp
1
0
Fork 0
mirror of https://github.com/dunglas/frankenphp.git synced 2025-12-24 13:38:11 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
frankenphp/package/rhel
History
Marc 7fceb32f7b give /var/lib/frankenphp sys_rw_content_t permissions for mercure.db files (#2037) 
The current configuration is not able to start FrankenPHP when mercure
and SELinux are used with a Caddyfile like this:

```Caddyfile
mercure {
    transport bolt {
        path mercure.db
    }
}
```

closes https://github.com/php/frankenphp/issues/2035

Exact error:
```
SELinux is preventing /usr/bin/frankenphp from map access on the file /var/lib/frankenphp/mercure.db.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that frankenphp should be allowed map access on the mercure.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'frankenphp' --raw | audit2allow -M my-frankenphp
# semodule -X 300 -i my-frankenphp.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_var_lib_t:s0
Target Objects                /var/lib/frankenphp/mercure.db [ file ]
Source                        frankenphp
Source Path                   /usr/bin/frankenphp
Port                          <Unknown>
Host                          localhost
Source RPM Packages           frankenphp-1.10.0_84-1.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost
                              4.18.0-553.81.1.el8_10.x86_64 #1 SMP Mon Oct 27
                              11:29:19 EDT 2025 x86_64 x86_64
Alert Count                   12
First Seen                    2025-10-29 17:25:26 CET
Last Seen                     2025-11-25 17:18:19 CET
Local ID                      c4e79504-117e-4e9f-ad8c-f0bcc4856697

Raw Audit Messages
type=AVC msg=audit(1764087499.320:475517): avc:  denied  { map } for  pid=322613 comm="frankenphp" path="/var/lib/frankenphp/mercure.db" dev="md3" ino=93716492 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1764087499.320:475517): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=8000 a2=1 a3=1 items=0 ppid=1 pid=322613 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=frankenphp exe=/usr/bin/frankenphp subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: frankenphp,httpd_t,httpd_var_lib_t,file,map
```
2025-11-28 11:11:28 +01:00
..
frankenphp.service
fix: add WorkingDirectory to ReadHat service file to make mercure.db files work without absolute paths (#1835)
2025-08-26 16:39:02 +02:00
postinstall.sh
give /var/lib/frankenphp sys_rw_content_t permissions for mercure.db files (#2037)
2025-11-28 11:11:28 +01:00
postuninstall.sh
give /var/lib/frankenphp sys_rw_content_t permissions for mercure.db files (#2037)
2025-11-28 11:11:28 +01:00
preinstall.sh
ci: build .rpm and .deb packages (#1497)
2025-05-14 07:33:05 +02:00
preuninstall.sh
ci: build .rpm and .deb packages (#1497)
2025-05-14 07:33:05 +02:00