troubleshooting Question

Problems running wkhtmltopdf inside apache under selinux

Avatar of Doug Poulin
Doug PoulinFlag for Canada asked on
3 Comments1 Solution198 ViewsLast Modified:
I'm running a Red hat webserver with selinux.  We use wkhtmltopdf-amd64 to convert html files (custom generated reports) into pdf and then display them for the users.  
It all works, except that I get a lot of errors recorded in the messages log.  Running sealert returns the following information on one such occurrence. We have wkhtmltopdf-i386 linked to the -amd64 version only because our previous server required a different version of the program.  So when you see -i38 it's the same application.

SELinux is preventing wkhtmltopdf-i38 from read access on the file /etc/printcap.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that wkhtmltopdf-i38 should be allowed read access on the printcap file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38
# semodule -i my-wkhtmltopdfi38.pp

Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:object_r:cupsd_rw_etc_t:s0
Target Objects                /etc/printcap [ file ]
Source                        wkhtmltopdf-i38
Source Path                   wkhtmltopdf-i38
Port                          <Unknown>
Host                          swan1
Source RPM Packages          
Target RPM Packages           setup-2.8.71-7.el7.noarch
Policy RPM                    selinux-policy-3.13.1-102.el7_3.16.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name           
Platform                      Linux 3.10.0-514.16.1.el7.x86_64
                              #1 SMP Fri Mar 10 13:12:32 EST 2017 x86_64 x86_64
Alert Count                   30011
First Seen                    2018-12-19 04:25:56 PST
Last Seen                     2019-02-14 15:29:17 PST
Local ID                      ec519fcf-2f7b-44c2-a3ca-922b20f8b2dd

Raw Audit Messages
type=AVC msg=audit(1550186957.692:15080580): avc:  denied  { read } for  pid=18734 comm="wkhtmltopdf-i38" name="printcap" dev="dm-0" ino=33554603 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=file

type=SYSCALL msg=audit(1550186957.692:15080580): arch=x86_64 syscall=open per=400000 success=no exit=EACCES a0=3c20db8 a1=80000 a2=1b6 a3=a items=0 ppid=18699 pid=18734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=wkhtmltopdf-i38 exe=/webdocs/pharm/cgi-bin/wkhtmltopdf-amd64 subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Hash: wkhtmltopdf-i38,httpd_sys_script_t,cupsd_rw_etc_t,file,read

wkhtmltopdf-amd64 is being run by apache, but needs to have access to printcap and font files, however that doesn't seem to be allowed.
I've since set up the program to use http_exec_t instead of httpd_sys_script_exec.  It works either way but still generates lots of errors.
In case you're wondering why I'm trying to fix something that still works, it appears that setroubleshootd runs quite often and takes up a load of cpu time in the process and I believe this is the reason why.

When I run:
ausearch -c 'wkhtmltopdf-i38' --raw | audit2allow -M my-wkhtmltopdfi38

it comes back with "nothing to do", so that's not helpful

I'm not sure how to fix the policies to allow this to happen.  I need some help, since this is a production machine and I don't want to mess something up in the process.
Doug Poulin

Our community of experts have been thoroughly vetted for their expertise and industry experience.

Join our community to see this answer!
Unlock 1 Answer and 3 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros