Bug 733545

Summary: Problems with running pdflatex from a CGI via apache/httpd
Product: [Fedora] Fedora Reporter: Robin Powell <rlpowell>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: dominick.grift, dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: selinux-policy-3.9.16-39.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-06 00:03:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin Powell 2011-08-26 00:23:48 UTC 
Here's the perms I'm now running with that fix it:


#============= httpd_t ==============
allow httpd_t tetex_data_t:dir { getattr search };
allow httpd_t tetex_data_t:file { read getattr open };

If it was me, though, I'd just let anybody access that stuff; it's just data files that are part of the package.

Here's the AVC messages:



type=AVC msg=audit(1314295334.302:88313): avc:  denied  { getattr } for  pid=9921 comm="pdflatex" path="/var/lib/texmf" dev=vdb1 ino=152168 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=dir
type=AVC msg=audit(1314295334.302:88314): avc:  denied  { search } for  pid=9921 comm="pdflatex" name="texmf" dev=vdb1 ino=152168 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=dir
type=AVC msg=audit(1314295334.302:88314): avc:  denied  { read } for  pid=9921 comm="pdflatex" name="ls-R" dev=vdb1 ino=152692 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.302:88315): avc:  denied  { getattr } for  pid=9921 comm="pdflatex" path="/var/lib/texmf/ls-R" dev=vdb1 ino=152692 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.303:88316): avc:  denied  { open } for  pid=9921 comm="pdflatex" name="ls-R" dev=vdb1 ino=152692 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.381:88317): avc:  denied  { search } for  pid=9921 comm="pdflatex" name="pdftex" dev=vdb1 ino=152903 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=dir
type=AVC msg=audit(1314295334.381:88317): avc:  denied  { read } for  pid=9921 comm="pdflatex" name="pdflatex.fmt" dev=vdb1 ino=155648 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.382:88318): avc:  denied  { getattr } for  pid=9921 comm="pdflatex" path="/var/lib/texmf/web2c/pdftex/pdflatex.fmt" dev=vdb1 ino=155648 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.382:88319): avc:  denied  { open } for  pid=9921 comm="pdflatex" name="pdflatex.fmt" dev=vdb1 ino=155648 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=file



-Robin
Comment 1 Miroslav Grepl 2011-08-26 06:22:41 UTC 
Is this CGI script your own or is this something what Fedora ships?
Comment 2 Robin Powell 2011-08-27 04:42:45 UTC 
Very much mine. I wasn't sure whether this deserved a bug, but when I asked on #selinux, dgrift suggested it was, so here we are.

Like I said, I can't think of a reason to limit these reads at all, to anyone, ever; can you?

-Robin
Comment 3 Daniel Walsh 2011-08-29 17:55:32 UTC 
I agree allow it.

miscfiles_read_tetex_data(httpd_t)
Comment 4 Miroslav Grepl 2011-08-30 08:38:08 UTC 
Ok, I was just interested about path to CGI script and adding label for it.
Comment 5 Daniel Walsh 2011-08-30 09:28:05 UTC 
This does not look like it is using a cgi.


It would be scontext=httpd_sys_script_t if it was cgi,

It is httpd_t so it is running within the apache process.
Comment 6 Dominick Grift 2011-08-30 09:33:34 UTC 
Indeed this is mod_perl. It just reads the web content and executes it as httpd_t.

But it does not really matter, one could have just as easily written this using php, still should work though.
Comment 7 Dominick Grift 2011-08-30 09:54:49 UTC 
(In reply to comment #4)
> Ok, I was just interested about path to CGI script and adding label for it.

I thought about that as well, but after digging a bit i came to the following conclusion.

So i thought, well you may be able to run CGI scripts in the httpd_t domain if you:

1. have httpd_unified set to on.
2. and you have your CGI script labelled with a type that is normally not executable by httpd_t (example: httpd_sys_content_t)

httpd_t would have been able to execute it but it would not have been allowed to execute_no_trans. (seems PHP works like libs, where httpd_t needs to mmap (execute) the php file only. Not actually "execute" it (e.g. execute and execute_no_trans))

So with that in mind, i guess one can never run CGI in the httpd_t domain.
Comment 8 Miroslav Grepl 2011-08-30 10:49:52 UTC 
I have the following python CGI script

#cat iamcgi.py 
#!/usr/bin/python

print 'Content-type: text/plain; Charset="iso-8859-2"'
print '' 
print 'I am Python CGI script'

import os, sys, commands

rc, output = commands.getstatusoutput("cat /tmp/test1")

if rc == 0:
	print(output)


# ls -lZ iamcgi.py 
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 iamcgi.py

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t auditd_log_t:file read;



# chcon -t bin_t iamcgi.py
# ls -Z iamcgi.py 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       iamcgi.py

#============= httpd_t ==============
allow httpd_t auditd_log_t:file read;
Comment 9 Dominick Grift 2011-08-30 11:01:35 UTC 
yes bin_t is the exception to the rule (obviously)
Comment 10 Dominick Grift 2011-08-30 11:02:45 UTC 
I was talking about httpd types.
Comment 11 Daniel Walsh 2011-08-30 11:03:13 UTC 
I think we used to have a transition on bin_t to httpd_sys_script_t.  Might
have caused problems, I guess.

So I guess setting pdflatex to httpd_sys_script_exec_t would be a good
solution.
Comment 12 Miroslav Grepl 2011-08-30 11:09:18 UTC 
yeap, i just wanted to show my reason why i wanted to see path and context
Comment 13 Dominick Grift 2011-08-30 11:16:20 UTC 
(In reply to comment #12)
> yeap, i just wanted to show my reason why i wanted to see path and context

You are right. Good point.
Comment 14 Dominick Grift 2011-08-30 11:33:30 UTC 
(In reply to comment #11)
> I think we used to have a transition on bin_t to httpd_sys_script_t.  Might
> have caused problems, I guess.
> 
> So I guess setting pdflatex to httpd_sys_script_exec_t would be a good
> solution.

I think currently you might get into entry point issues, if for example userdomains run it. httpd_sys_script_exec_t is only an entry point to httpd_sys_script_t currently.

miscfiles_read_tetex_data(httpd_t) is not such a bad solution.
Comment 15 Fedora Update System 2011-09-08 08:12:42 UTC 
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Comment 16 Fedora Update System 2011-09-09 05:28:47 UTC 
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2011-10-06 00:03:11 UTC 
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.