Bug 610307 - mediawiki math selinux - blocks me from using texvc
mediawiki math selinux - blocks me from using texvc
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
13
All Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-01 21:30 EDT by Andreas Pedersen
Modified: 2012-03-14 09:28 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-06-01 11:28:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andreas Pedersen 2010-07-01 21:30:56 EDT
Description of problem:
SELinux blocks me from using texvc with mediawiki, is there any workaround for this issue more then disable SElinux, or is there something I can do?


How reproducible:
<math>
  \operatorname{erfc}(x) =
  \frac{2}{\sqrt{\pi}} \int_x^{\infty} e^{-t^2}\,dt =
  \frac{e^{-x^2}}{x\sqrt{\pi}}\sum_{n=0}^\infty (-1)^n \frac{(2n)!}{n!(2x)^{2n}}
</math>


# chcon -R -t httpd_sys_script_rw_t images

Failed to parse (unknown error): \operatorname{erfc}(x) = \frac{2}{\sqrt{\pi}} \int_x^{\infty} e^{-t^2}\,dt = \frac{e^{-x^2}}{x\sqrt{\pi}}\sum_{n=0}^\infty (-1)^n \frac{(2n)!}{n!(2x)^{2n}} 


type=AVC msg=audit(1278029222.572:147): avc:  denied  { execute_no_trans } for  pid=7648 comm="sh" path="/usr/lib64/mediawiki/math/texvc" dev=sda1 ino=552581 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1278029222.572:147): arch=c000003e syscall=59 success=no exit=-13 a0=1ef0c80 a1=1eef7f0 a2=1eef9a0 a3=7fff0a62d8d0 items=0 ppid=6761 pid=7648 auid=0 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=494 sgid=494 fsgid=494 tty=(none) ses=13 comm="sh" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)




------

# chcon -R -t httpd_sys_script_exec_t /usr/lib64/mediawiki/math/

Failed to parse (PNG conversion failed; check for correct installation of latex, dvips, gs, and convert): \operatorname{erfc}(x) = \frac{2}{\sqrt{\pi}} \int_x^{\infty} e^{-t^2}\,dt = \frac{e^{-x^2}}{x\sqrt{\pi}}\sum_{n=0}^\infty (-1)^n \frac{(2n)!}{n!(2x)^{2n}} 


type=AVC msg=audit(1278029087.064:144): avc:  denied  { search } for  pid=7630 comm="texvc" name="wiki" dev=sda1 ino=134158 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1278029087.064:144): arch=c000003e syscall=4 success=no exit=-13 a0=7f466513d730 a1=7fff0789c7d0 a2=7fff0789c7d0 a3=38 items=0 ppid=6757 pid=7630 auid=0 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=494 sgid=494 fsgid=494 tty=(none) ses=13 comm="texvc" exe="/usr/lib64/mediawiki/math/texvc" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1278029087.064:145): avc:  denied  { search } for  pid=7630 comm="texvc" name="wiki" dev=sda1 ino=134158 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_user_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1278029087.064:145): arch=c000003e syscall=2 success=no exit=-13 a0=841260 a1=241 a2=1b6 a3=7fff0789c560 items=0 ppid=6757 pid=7630 auid=0 uid=48 gid=494 euid=48 suid=48 fsuid=48 egid=494 sgid=494 fsgid=494 tty=(none) ses=13 comm="texvc" exe="/usr/lib64/mediawiki/math/texvc" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)




Additional info:
LocalSettings.php:
$wgUseTeX           = true;
$wgTexvc            = '/usr/lib64/mediawiki/math/texvc';
Comment 1 Axel Thimm 2010-07-05 14:02:33 EDT
Dan, could you advise on how to proceed? Does this need a change in the mediawiki package or a change in selinux policy? Thanks!
Comment 2 Daniel Walsh 2010-07-12 15:20:15 EDT
chcon -t bin_t /usr/lib64/mediawiki/math/texvc

Should fix one of the errors.

Are all of the files in  /usr/lib64/mediawiki/math executables?
Comment 3 Andreas Pedersen 2010-07-13 03:34:10 EDT

restorecon -R /usr/lib64/mediawiki/math/
chcon -t bin_t /usr/lib64/mediawiki/math/texvc

This three files are executable: texvc_tex, texvc_test, texvc

# ls -Z /usr/lib64/mediawiki/math/
-rw-r--r--. root root system_u:object_r:lib_t:s0       html.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       html.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       html.mli
-rw-r--r--. root root system_u:object_r:lib_t:s0       html.o
-rw-r--r--. root root system_u:object_r:lib_t:s0       lexer.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       lexer.mll
-rw-r--r--. root root system_u:object_r:lib_t:s0       lexer.o
-rw-r--r--. root root system_u:object_r:lib_t:s0       Makefile
-rw-r--r--. root root system_u:object_r:lib_t:s0       mathml.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       mathml.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       mathml.mli
-rw-r--r--. root root system_u:object_r:lib_t:s0       mathml.o
-rw-r--r--. root root system_u:object_r:lib_t:s0       parser.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       parser.mli
-rw-r--r--. root root system_u:object_r:lib_t:s0       parser.mly
-rw-r--r--. root root system_u:object_r:lib_t:s0       parser.o
-rw-r--r--. root root system_u:object_r:lib_t:s0       README
-rw-r--r--. root root system_u:object_r:lib_t:s0       render.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       render_info.mli
-rw-r--r--. root root system_u:object_r:lib_t:s0       render.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       render.o
-rw-r--r--. root root system_u:object_r:lib_t:s0       tex.mli
-rw-r--r--. root root system_u:object_r:lib_t:s0       texutil.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       texutil.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       texutil.mli
-rw-r--r--. root root system_u:object_r:lib_t:s0       texutil.o
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       texvc
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_cgi.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc.o
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       texvc_test
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_test.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_test.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_test.o
-rwxr-xr-x. root root system_u:object_r:lib_t:s0       texvc_tex
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_tex.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_tex.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       texvc_tex.o
-rw-r--r--. root root system_u:object_r:lib_t:s0       TODO
-rw-r--r--. root root system_u:object_r:lib_t:s0       util.cmx
-rw-r--r--. root root system_u:object_r:lib_t:s0       util.ml
-rw-r--r--. root root system_u:object_r:lib_t:s0       util.o



# find / -xdev -inum 269129
/usr/share/texmf/texconfig/tcfmgr
# ls -Z /usr/share/texmf/texconfig/tcfmgr
-rwxr-xr-x. root root system_u:object_r:usr_t:s0       /usr/share/texmf/texconfig/tcfmgr



type=AVC msg=audit(1278998457.615:21421): avc:  denied  { search } for  pid=5009 comm="php-cgi" name="session" dev=sda1 ino=291917 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=dir
type=SYSCALL msg=audit(1278998457.615:21421): arch=c000003e syscall=2 success=yes exit=4294967424 a0=7fff7d211b50 a1=42 a2=180 a3=0 items=0 ppid=5006 pid=5009 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=124 comm="php-cgi" exe="/usr/bin/php-cgi" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1278998457.873:21422): avc:  denied  { getattr } for  pid=5262 comm="latex" path="/var/lib/texmf" dev=sda1 ino=269177 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1278998457.873:21422): arch=c000003e syscall=4 success=yes exit=128 a0=aa5af0 a1=7fff7a4e27d0 a2=7fff7a4e27d0 a3=8 items=0 ppid=5261 pid=5262 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=124 comm="latex" exe="/usr/bin/pdftex" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1278998458.011:21423): avc:  denied  { getattr } for  pid=5270 comm="kpsewhich" path="/var/lib/texmf" dev=sda1 ino=269177 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=dir
type=SYSCALL msg=audit(1278998458.011:21423): arch=c000003e syscall=4 success=yes exit=128 a0=a50b60 a1=7fff90643ad0 a2=7fff90643ad0 a3=8 items=0 ppid=5269 pid=5270 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=124 comm="kpsewhich" exe="/usr/bin/kpsewhich" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1278998458.076:21424): avc:  denied  { execute } for  pid=5271 comm="mktexfmt" name="tcfmgr" dev=sda1 ino=269129 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1278998458.076:21424): arch=c000003e syscall=59 success=no exit=-13 a0=72dc30 a1=765c00 a2=72e6b0 a3=7fff05e72210 items=0 ppid=5268 pid=5271 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=124 comm="mktexfmt" exe="/bin/bash" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
type=AVC msg=audit(1278998458.078:21425): avc:  denied  { execute } for  pid=5271 comm="mktexfmt" name="tcfmgr" dev=sda1 ino=269129 scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file
type=SYSCALL msg=audit(1278998458.078:21425): arch=c000003e syscall=21 success=no exit=-13 a0=72dc30 a1=1 a2=0 a3=7fff05e72150 items=0 ppid=5268 pid=5271 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=124 comm="mktexfmt" exe="/bin/bash" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)
Comment 4 Daniel Walsh 2010-07-13 08:41:51 EDT
I can add bin_t labels for those files.  Does mediawiki need to write to /var/lib/texmf?

Miroslav, we might need policy for mediawiki?
Comment 5 Miroslav Grepl 2010-09-01 10:25:35 EDT
(In reply to comment #4)

> Miroslav, we might need policy for mediawiki?

Maybe it will not be necessary. Will see after more testing.
Comment 6 Miroslav Grepl 2010-10-08 05:03:37 EDT
Fixed in selinux-policy-3.7.19-65.fc13
Comment 7 Fedora Admin XMLRPC Client 2010-11-08 16:50:40 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 8 Fedora Admin XMLRPC Client 2010-11-08 16:52:03 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 9 Fedora Admin XMLRPC Client 2010-11-08 16:53:13 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 10 Bug Zapper 2011-06-01 10:59:09 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 JM 2012-03-14 09:20:29 EDT
Looks like the problem exists in Fedora 16, too. The file

/usr/lib64/mediawiki/math/texvc

has now the label

httpd_mediawiki_script_exec_t

and creates errors with SELinux.

A

chcon -t bin_t /usr/lib64/mediawiki/math/texvc

fixed the problem.
Comment 12 Daniel Walsh 2012-03-14 09:28:55 EDT
JM, what AVC's are you seeing? And please open a new bug.

Note You need to log in before you can comment on or make changes to this bug.