Cannot access PHP/C++ shared memory over the web
I am sharing some m开发者_开发百科emory between C++ and PHP
At the PHP end I have:
$inputshm_id = shmop_open($shid, "w", 0777, 1024);
Where shid is an identifier I created with ftok.
This all works fine when I run this PHP script logged in as root on the server but when I try to run it remotely over the web I get:
Warning: shmop_open() [function.shmop-open]: unable to attach or create shared memory segment in /var/www/html/prof/phpsm.php on line 6
...where line 6 is the line I've shown above.
Since it all runs fine when I run it from the server as root I'm assuming something somewhere is preventing web user requests from connecting to the shared memory.
Does anyone know what could be causing this?
Thanks
The issue is that SELinux is blocking the shm access (you can verify by running setenforce 0
, testing, and running setenforce 1
after), but I don't know a good way of solving it other than modifying the policy or switching to mmap.
Just to add to the accepted answer, I needed to keep SELinux in enforcing mode, so I ended up doing the following to allow access to shared memory operations in PHP:
- put selinux in permissive mode
- put selinux in "don't block" mode: semodule -DB (this was important, because the shmop operations were not by default logged)
- cleared out /var/log/audit/audit.log
- executed the offending script with shared memory operations
- generated an selinux module: audit2allow -a -M audit.log
- installed module: semodule -i audit.log.pp
I did end up going through a couple iterations of this to get it right, but my final policy on CentOS 6 was:
module audit.log 1.0;
require {
type unconfined_t;
type httpd_t;
type audisp_t;
type auditd_t;
type user_tmpfs_t;
class process { siginh noatsecure rlimitinh };
class shm { associate unix_read getattr read };
class file { read };
}
allow auditd_t audisp_t:process { siginh rlimitinh noatsecure };
allow httpd_t unconfined_t:shm { associate unix_read getattr read };
allow httpd_t user_tmpfs_t:file read;
精彩评论