I'm running a Red hat webserver with selinux. We use wkhtmltopdf-amd64 to convert html files (custom generated reports) into pdf and then display them for the users.
It all works, except that I get a lot of errors recorded in the messages log. Running sealert returns the following information on one such occurrence. We have wkhtmltopdf-i386 linked to the -amd64 version only because our previous server required a different version of the program. So when you see -i38 it's the same application.
SELinux is preventing wkhtmltopdf-i38 from read access on the file /etc/printcap.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that wkhtmltopdf-i38 should be allowed read access on the printcap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38
# semodule -i my-wkhtmltopdfi38.pp
Additional Information:
Source Context system_u:system_r:httpd_sys_script_t:s0
Target Context system_u:object_r:cupsd_rw_etc_t:s0
Target Objects /etc/printcap [ file ]
Source wkhtmltopdf-i38
Source Path wkhtmltopdf-i38
Port <Unknown>
Host swan1
Source RPM Packages
Target RPM Packages setup-2.8.71-7.el7.noarch
Policy RPM selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name swan1.medinet.ca
Platform Linux swan1.medinet.ca 3.10.0-514.16.1.el7.x86_64
#1 SMP Fri Mar 10 13:12:32 EST 2017 x86_64 x86_64
Alert Count 30011
First Seen 2018-12-19 04:25:56 PST
Last Seen 2019-02-14 15:29:17 PST
Local ID ec519fcf-2f7b-44c2-a3ca-922b20f8b2dd
Raw Audit Messages
type=AVC msg=audit(1550186957.692:15080580): avc: denied { read } for pid=18734 comm="wkhtmltopdf-i38" name="printcap" dev="dm-0" ino=33554603 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file
type=SYSCALL msg=audit(1550186957.692:15080580): arch=x86_64 syscall=open per=400000 success=no exit=EACCES a0=3c20db8 a1=80000 a2=1b6 a3=a items=0 ppid=18699 pid=18734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=wkhtmltopdf-i38 exe=/webdocs/pharm/cgi-bin/wkhtmltopdf-amd64 subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
Hash: wkhtmltopdf-i38,httpd_sys_script_t,cupsd_rw_etc_t,file,read
wkhtmltopdf-amd64 is being run by apache, but needs to have access to printcap and font files, however that doesn't seem to be allowed.
I've since set up the program to use http_exec_t instead of httpd_sys_script_exec. It works either way but still generates lots of errors.
In case you're wondering why I'm trying to fix something that still works, it appears that setroubleshootd runs quite often and takes up a load of cpu time in the process and I believe this is the reason why.
When I run:
ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38
it comes back with "nothing to do", so that's not helpful
I'm not sure how to fix the policies to allow this to happen. I need some help, since this is a production machine and I don't want to mess something up in the process.
Open in new window
If this fails, you may have to setup an selinux policy for wkhtmltopdf-i386 to match the setup for wkhtmltopdf-amd64.