Problems running wkhtmltopdf inside apache under selinux

Doug Poulin
Doug Poulin used Ask the Experts™
on
I'm running a Red hat webserver with selinux.  We use wkhtmltopdf-amd64 to convert html files (custom generated reports) into pdf and then display them for the users.  
It all works, except that I get a lot of errors recorded in the messages log.  Running sealert returns the following information on one such occurrence. We have wkhtmltopdf-i386 linked to the -amd64 version only because our previous server required a different version of the program.  So when you see -i38 it's the same application.

SELinux is preventing wkhtmltopdf-i38 from read access on the file /etc/printcap.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that wkhtmltopdf-i38 should be allowed read access on the printcap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38
# semodule -i my-wkhtmltopdfi38.pp


Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:cupsd_rw_etc_t:s0
Target Objects                /etc/printcap [ file ]
Source                        wkhtmltopdf-i38
Source Path                   wkhtmltopdf-i38
Port                          <Unknown>
Host                          swan1
Source RPM Packages          
Target RPM Packages           setup-2.8.71-7.el7.noarch
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     swan1.medinet.ca
Platform                      Linux swan1.medinet.ca 3.10.0-514.16.1.el7.x86_64
                              #1 SMP Fri Mar 10 13:12:32 EST 2017 x86_64 x86_64
Alert Count                   30011
First Seen                    2018-12-19 04:25:56 PST
Last Seen                     2019-02-14 15:29:17 PST
Local ID                      ec519fcf-2f7b-44c2-a3ca-922b20f8b2dd

Raw Audit Messages
type=AVC msg=audit(1550186957.692:15080580): avc:  denied  { read } for  pid=18734 comm="wkhtmltopdf-i38" name="printcap" dev="dm-0" ino=33554603 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file


type=SYSCALL msg=audit(1550186957.692:15080580): arch=x86_64 syscall=open per=400000 success=no exit=EACCES a0=3c20db8 a1=80000 a2=1b6 a3=a items=0 ppid=18699 pid=18734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=wkhtmltopdf-i38 exe=/webdocs/pharm/cgi-bin/wkhtmltopdf-amd64 subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Hash: wkhtmltopdf-i38,httpd_sys_script_t,cupsd_rw_etc_t,file,read

wkhtmltopdf-amd64 is being run by apache, but needs to have access to printcap and font files, however that doesn't seem to be allowed.
I've since set up the program to use http_exec_t instead of httpd_sys_script_exec.  It works either way but still generates lots of errors.
In case you're wondering why I'm trying to fix something that still works, it appears that setroubleshootd runs quite often and takes up a load of cpu time in the process and I believe this is the reason why.

When I run:
ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38

it comes back with "nothing to do", so that's not helpful

I'm not sure how to fix the policies to allow this to happen.  I need some help, since this is a production machine and I don't want to mess something up in the process.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
David FavorFractional CTO
Distinguished Expert 2018

Commented:
If the wkhtmltopdf-amd64 version works + the wkhtmltopdf-i386 version fails...

rm wkhtmltopdf-amd64
cp wkhtmltopdf-amd64 wkhtmltopdf-i386

Open in new window


If this fails, you may have to setup an selinux policy for wkhtmltopdf-i386 to match the setup for wkhtmltopdf-amd64.
David FavorFractional CTO
Distinguished Expert 2018

Commented:
You said, "wkhtmltopdf-amd64 is being run by apache, but needs to have access to printcap and font files, however that doesn't seem to be allowed."

This is correct. Usually only root, wheel, few others are allowed access to printer subsystem. Apache rarely falls into this list by default.
Commented:
managed to add a rule that solves my problems.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial