Bug 733545 - Problems with running pdflatex from a CGI via apache/httpd
Summary: Problems with running pdflatex from a CGI via apache/httpd
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-26 00:23 UTC by Robin Powell
Modified: 2011-10-06 00:03 UTC (History)
3 users (show)

Fixed In Version: selinux-policy-3.9.16-39.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-06 00:03:11 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Robin Powell 2011-08-26 00:23:48 UTC 
Here's the perms I'm now running with that fix it:


#============= httpd_t ==============
allow httpd_t tetex_data_t:dir { getattr search };
allow httpd_t tetex_data_t:file { read getattr open };

If it was me, though, I'd just let anybody access that stuff; it's just data files that are part of the package.

Here's the AVC messages:



type=AVC msg=audit(1314295334.302:88313): avc:  denied  { getattr } for  pid=9921 comm="pdflatex" path="/var/lib/texmf" dev=vdb1 ino=152168 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=dir
type=AVC msg=audit(1314295334.302:88314): avc:  denied  { search } for  pid=9921 comm="pdflatex" name="texmf" dev=vdb1 ino=152168 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=dir
type=AVC msg=audit(1314295334.302:88314): avc:  denied  { read } for  pid=9921 comm="pdflatex" name="ls-R" dev=vdb1 ino=152692 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.302:88315): avc:  denied  { getattr } for  pid=9921 comm="pdflatex" path="/var/lib/texmf/ls-R" dev=vdb1 ino=152692 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.303:88316): avc:  denied  { open } for  pid=9921 comm="pdflatex" name="ls-R" dev=vdb1 ino=152692 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.381:88317): avc:  denied  { search } for  pid=9921 comm="pdflatex" name="pdftex" dev=vdb1 ino=152903 scontext=system_u:system_r:httpd_t:s0 tcontext=staff_u:object_r:tetex_data_t:s0 tclass=dir
type=AVC msg=audit(1314295334.381:88317): avc:  denied  { read } for  pid=9921 comm="pdflatex" name="pdflatex.fmt" dev=vdb1 ino=155648 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.382:88318): avc:  denied  { getattr } for  pid=9921 comm="pdflatex" path="/var/lib/texmf/web2c/pdftex/pdflatex.fmt" dev=vdb1 ino=155648 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=file
type=AVC msg=audit(1314295334.382:88319): avc:  denied  { open } for  pid=9921 comm="pdflatex" name="pdflatex.fmt" dev=vdb1 ino=155648 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:tetex_data_t:s0 tclass=file



-Robin
Comment 1 Miroslav Grepl 2011-08-26 06:22:41 UTC 
Is this CGI script your own or is this something what Fedora ships?
Comment 2 Robin Powell 2011-08-27 04:42:45 UTC 
Very much mine. I wasn't sure whether this deserved a bug, but when I asked on #selinux, dgrift suggested it was, so here we are.

Like I said, I can't think of a reason to limit these reads at all, to anyone, ever; can you?

-Robin
Comment 3 Daniel Walsh 2011-08-29 17:55:32 UTC 
I agree allow it.

miscfiles_read_tetex_data(httpd_t)
Comment 4 Miroslav Grepl 2011-08-30 08:38:08 UTC 
Ok, I was just interested about path to CGI script and adding label for it.
Comment 5 Daniel Walsh 2011-08-30 09:28:05 UTC 
This does not look like it is using a cgi.


It would be scontext=httpd_sys_script_t if it was cgi,

It is httpd_t so it is running within the apache process.
Comment 6 Dominick Grift 2011-08-30 09:33:34 UTC 
Indeed this is mod_perl. It just reads the web content and executes it as httpd_t.

But it does not really matter, one could have just as easily written this using php, still should work though.
Comment 7 Dominick Grift 2011-08-30 09:54:49 UTC 
(In reply to comment #4)
> Ok, I was just interested about path to CGI script and adding label for it.

I thought about that as well, but after digging a bit i came to the following conclusion.

So i thought, well you may be able to run CGI scripts in the httpd_t domain if you:

1. have httpd_unified set to on.
2. and you have your CGI script labelled with a type that is normally not executable by httpd_t (example: httpd_sys_content_t)

httpd_t would have been able to execute it but it would not have been allowed to execute_no_trans. (seems PHP works like libs, where httpd_t needs to mmap (execute) the php file only. Not actually "execute" it (e.g. execute and execute_no_trans))

So with that in mind, i guess one can never run CGI in the httpd_t domain.
Comment 8 Miroslav Grepl 2011-08-30 10:49:52 UTC 
I have the following python CGI script

#cat iamcgi.py 
#!/usr/bin/python

print 'Content-type: text/plain; Charset="iso-8859-2"'
print '' 
print 'I am Python CGI script'

import os, sys, commands

rc, output = commands.getstatusoutput("cat /tmp/test1")

if rc == 0:
	print(output)


# ls -lZ iamcgi.py 
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 iamcgi.py

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t auditd_log_t:file read;



# chcon -t bin_t iamcgi.py
# ls -Z iamcgi.py 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0       iamcgi.py

#============= httpd_t ==============
allow httpd_t auditd_log_t:file read;
Comment 9 Dominick Grift 2011-08-30 11:01:35 UTC 
yes bin_t is the exception to the rule (obviously)
Comment 10 Dominick Grift 2011-08-30 11:02:45 UTC 
I was talking about httpd types.
Comment 11 Daniel Walsh 2011-08-30 11:03:13 UTC 
I think we used to have a transition on bin_t to httpd_sys_script_t.  Might
have caused problems, I guess.

So I guess setting pdflatex to httpd_sys_script_exec_t would be a good
solution.
Comment 12 Miroslav Grepl 2011-08-30 11:09:18 UTC 
yeap, i just wanted to show my reason why i wanted to see path and context
Comment 13 Dominick Grift 2011-08-30 11:16:20 UTC 
(In reply to comment #12)
> yeap, i just wanted to show my reason why i wanted to see path and context

You are right. Good point.
Comment 14 Dominick Grift 2011-08-30 11:33:30 UTC 
(In reply to comment #11)
> I think we used to have a transition on bin_t to httpd_sys_script_t.  Might
> have caused problems, I guess.
> 
> So I guess setting pdflatex to httpd_sys_script_exec_t would be a good
> solution.

I think currently you might get into entry point issues, if for example userdomains run it. httpd_sys_script_exec_t is only an entry point to httpd_sys_script_t currently.

miscfiles_read_tetex_data(httpd_t) is not such a bad solution.
Comment 15 Fedora Update System 2011-09-08 08:12:42 UTC 
selinux-policy-3.9.16-39.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
Comment 16 Fedora Update System 2011-09-09 05:28:47 UTC 
Package selinux-policy-3.9.16-39.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.9.16-39.fc15'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-39.fc15
then log in and leave karma (feedback).
Comment 17 Fedora Update System 2011-10-06 00:03:11 UTC 
selinux-policy-3.9.16-39.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.