give /var/lib/frankenphp sys_rw_content_t permissions for mercure.db files

[henderkes]

The current configuration is not able to start FrankenPHP when mercure and SELinux are used with a Caddyfile like this:

mercure {
    transport bolt {
        path mercure.db
    }
}

closes #2035

Exact error:

SELinux is preventing /usr/bin/frankenphp from map access on the file /var/lib/frankenphp/mercure.db.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that frankenphp should be allowed map access on the mercure.db file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'frankenphp' --raw | audit2allow -M my-frankenphp
# semodule -X 300 -i my-frankenphp.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_var_lib_t:s0
Target Objects                /var/lib/frankenphp/mercure.db [ file ]
Source                        frankenphp
Source Path                   /usr/bin/frankenphp
Port                          <Unknown>
Host                          localhost
Source RPM Packages           frankenphp-1.10.0_84-1.x86_64
Target RPM Packages
SELinux Policy RPM            selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
Local Policy RPM              selinux-policy-targeted-3.14.3-139.el8_10.1.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux localhost
                              4.18.0-553.81.1.el8_10.x86_64 #1 SMP Mon Oct 27
                              11:29:19 EDT 2025 x86_64 x86_64
Alert Count                   12
First Seen                    2025-10-29 17:25:26 CET
Last Seen                     2025-11-25 17:18:19 CET
Local ID                      c4e79504-117e-4e9f-ad8c-f0bcc4856697

Raw Audit Messages
type=AVC msg=audit(1764087499.320:475517): avc:  denied  { map } for  pid=322613 comm="frankenphp" path="/var/lib/frankenphp/mercure.db" dev="md3" ino=93716492 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=file permissive=0


type=SYSCALL msg=audit(1764087499.320:475517): arch=x86_64 syscall=mmap success=no exit=EACCES a0=0 a1=8000 a2=1 a3=1 items=0 ppid=1 pid=322613 auid=4294967295 uid=991 gid=988 euid=991 suid=991 fsuid=991 egid=988 sgid=988 fsgid=988 tty=(none) ses=4294967295 comm=frankenphp exe=/usr/bin/frankenphp subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: frankenphp,httpd_t,httpd_var_lib_t,file,map

[dunglas]

@henderkes will this change help? dunglas/mercure#1139

By default, the Bolt file will be created in Caddy's data dir.

[henderkes]

What is caddy's data dir and what selinux file contexts are set on that directory?

Caddy's home dir is /var/lib/caddy, frankenphp's therefore /var/lib/frankenphp.

[henderkes]

Looking at the source code, this would refer to ~/.config/caddy, which for frankenphp is /home/frankenphp/.config/caddy. That would almost inevitably cause crashes with Debian too, because our systemd service file uses ProtectHome=yes and I'm 99.99% sure that .config does not have httpd_sys_rw_content_t so SELinux would complain on top.

[henderkes]

Actually I think

https://github.com/caddyserver/caddy/blob/master/storage.go#L57

would return "" with ProtectHome=yes which then becomes the working directory, which is /var/lib/frankenphp.

Adding .local/caddy/share to that would essentially cause the same issue again because the context is var_lib_t, which is correct for caddy (certificate trust is managed by caddy itself, not by incoming requests), but the .db fikes are written to with a httpd request context.