Cannot access PHP/C++ shared memory over the web_问答_开发者

Cannot access PHP/C++ shared memory over the web

开发者 https://www.devze.com 2023-01-24 23:50 出处：网络

I am sharing some m开发者_开发百科emory between C++ and PHP At the PHP end I have: $inputshm_id = shmop_open($shid, \"w\", 0777, 1024);

I am sharing some m开发者_开发百科emory between C++ and PHP

At the PHP end I have:

   $inputshm_id = shmop_open($shid, "w", 0777, 1024);

Where shid is an identifier I created with ftok.

This all works fine when I run this PHP script logged in as root on the server but when I try to run it remotely over the web I get:

Warning: shmop_open() [function.shmop-open]: unable to attach or create shared memory segment in /var/www/html/prof/phpsm.php on line 6

...where line 6 is the line I've shown above.

Since it all runs fine when I run it from the server as root I'm assuming something somewhere is preventing web user requests from connecting to the shared memory.

Does anyone know what could be causing this?

Thanks

The issue is that SELinux is blocking the shm access (you can verify by running setenforce 0, testing, and running setenforce 1 after), but I don't know a good way of solving it other than modifying the policy or switching to mmap.

Just to add to the accepted answer, I needed to keep SELinux in enforcing mode, so I ended up doing the following to allow access to shared memory operations in PHP:

put selinux in permissive mode
put selinux in "don't block" mode: semodule -DB (this was important, because the shmop operations were not by default logged)
cleared out /var/log/audit/audit.log
executed the offending script with shared memory operations
generated an selinux module: audit2allow -a -M audit.log
installed module: semodule -i audit.log.pp

I did end up going through a couple iterations of this to get it right, but my final policy on CentOS 6 was:

module audit.log 1.0;
require {
        type unconfined_t;
        type httpd_t;
        type audisp_t;
        type auditd_t;
        type user_tmpfs_t;
        class process { siginh noatsecure rlimitinh };
        class shm { associate unix_read getattr read };
        class file { read };
}
allow auditd_t audisp_t:process { siginh rlimitinh noatsecure };
allow httpd_t unconfined_t:shm { associate unix_read getattr read };
allow httpd_t user_tmpfs_t:file read;