Link to home
Avatar of Doug Poulin
Doug PoulinFlag for Canada

asked on

Problems running wkhtmltopdf inside apache under selinux

I'm running a Red hat webserver with selinux.  We use wkhtmltopdf-amd64 to convert html files (custom generated reports) into pdf and then display them for the users.  
It all works, except that I get a lot of errors recorded in the messages log.  Running sealert returns the following information on one such occurrence. We have wkhtmltopdf-i386 linked to the -amd64 version only because our previous server required a different version of the program.  So when you see -i38 it's the same application.

SELinux is preventing wkhtmltopdf-i38 from read access on the file /etc/printcap.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that wkhtmltopdf-i38 should be allowed read access on the printcap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38
# semodule -i my-wkhtmltopdfi38.pp

Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:cupsd_rw_etc_t:s0
Target Objects                /etc/printcap [ file ]
Source                        wkhtmltopdf-i38
Source Path                   wkhtmltopdf-i38
Port                          <Unknown>
Host                          swan1
Source RPM Packages          
Target RPM Packages           setup-2.8.71-7.el7.noarch
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name           
Platform                      Linux 3.10.0-514.16.1.el7.x86_64
                              #1 SMP Fri Mar 10 13:12:32 EST 2017 x86_64 x86_64
Alert Count                   30011
First Seen                    2018-12-19 04:25:56 PST
Last Seen                     2019-02-14 15:29:17 PST
Local ID                      ec519fcf-2f7b-44c2-a3ca-922b20f8b2dd

Raw Audit Messages
type=AVC msg=audit(1550186957.692:15080580): avc:  denied  { read } for  pid=18734 comm="wkhtmltopdf-i38" name="printcap" dev="dm-0" ino=33554603 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1550186957.692:15080580): arch=x86_64 syscall=open per=400000 success=no exit=EACCES a0=3c20db8 a1=80000 a2=1b6 a3=a items=0 ppid=18699 pid=18734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=wkhtmltopdf-i38 exe=/webdocs/pharm/cgi-bin/wkhtmltopdf-amd64 subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Hash: wkhtmltopdf-i38,httpd_sys_script_t,cupsd_rw_etc_t,file,read

wkhtmltopdf-amd64 is being run by apache, but needs to have access to printcap and font files, however that doesn't seem to be allowed.
I've since set up the program to use http_exec_t instead of httpd_sys_script_exec.  It works either way but still generates lots of errors.
In case you're wondering why I'm trying to fix something that still works, it appears that setroubleshootd runs quite often and takes up a load of cpu time in the process and I believe this is the reason why.

When I run:
ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38

it comes back with "nothing to do", so that's not helpful

I'm not sure how to fix the policies to allow this to happen.  I need some help, since this is a production machine and I don't want to mess something up in the process.
Avatar of David Favor
David Favor
Flag of United States of America image

If the wkhtmltopdf-amd64 version works + the wkhtmltopdf-i386 version fails...

rm wkhtmltopdf-amd64
cp wkhtmltopdf-amd64 wkhtmltopdf-i386

Open in new window

If this fails, you may have to setup an selinux policy for wkhtmltopdf-i386 to match the setup for wkhtmltopdf-amd64.
You said, "wkhtmltopdf-amd64 is being run by apache, but needs to have access to printcap and font files, however that doesn't seem to be allowed."

This is correct. Usually only root, wheel, few others are allowed access to printer subsystem. Apache rarely falls into this list by default.
Avatar of Doug Poulin
Doug Poulin
Flag of Canada image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial