Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Daniel B. Thurman wrote: > > It seems that I am having a bit of a problem with SElinux, > > Apache, and Subversion in the way that I have my subversion > > respository located not in the "recommended" place. > > > > Instead of putting the repository in the recommended place: > > /var/www/svn for example, docs says you can put the repository > > elsewhere by adding SVNParentPath=/my/place/svn entry into the > > /etc/httpd/conf.d/subversion.conf file, but SELinux does not > > like it. I did changed the svn repository directory/files with > > context httpd_sys_context_t and with ownership of apache.apache. > > I also created a link such as /var/www/svn -> /my/svn setting > > SVNParentPath=/var/www/svn - it does not work as well. > > > > I have tested to see if SELinux is blocking access by setting > > setenforce 0, then opened up the firefox browser, entered > > my user name and password and it worked, but setting setenforce 1 > > back, breaks it again. > > > > Does anyone know how to do it - beside recommending that I > > place the svn repository directly into /var/www/svn? > > > > Thanks- > > Dan > > > What avc messages are you seeing? /var/log/audit/audit.log > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkej4/kACgkQrlYvE4MpobM/XQCfUM6KBrPSYl0eIQgST40fFmOE > gkMAnRMk+V60i7RQkSANWpjYf3cmQhOX > =qXQd > -----END PGP SIGNATURE----- I left intact the above and did not snip it because for some reason, Daniel Walsh has encapsulated it with PGP? Dunno, beats me. The following has to do with problems encountered while setting up Apache and SubVersion. 1) If I do not install my SVN Repository to the recommened place of /var/www/ directory, SELinux blocks access. It does not matter if I have set the proper context (httpd_sys_content_t), and directory/file ownerships (apache.apache) SElinux does not complain if the repository is in /var/www. The SELinux error logs are provided for further examination by those who cares. 2) When I have properly configured my /etc/httpd/conf.d/subversion.conf file for access levels and permissions, I can go to my favorite browser, type in: http://localhost/svn (or whatever you set Location to). and it will prompt me for username and password, and will let me browse the SVN tree. My problem comes in when I do NOT use my browser, but instead use the command line, or try to access the SVN repository remotely or via Eclipse. None of these attempts work. For me, it *always* results in a ModSecurity error. I can however access my repository via file:/// access, I just cannot do with with http:// I have tested with setenforce and SELinux has nothing to do with this case as there is no audit log reports either way. + svn list file:///var/www/svn/projects [SUCCESSFUL] ===================================================== branches/ tags/ trunk/ + svn list file:///fapp1/svn/projects [SUCCESSFUL] ================================================== branches/ tags/ trunk/ + svn list http://127.0.0.1/svn/projects [FAILURE] Note: you can use localhost or your FQDN - it still fails. ========================================================== svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default' svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad Request (http://127.0.0.1) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% NOTE: The following SELinux data appears ONLY if SVN respository is NOT in /var/www/svn directory, in my case above: /fapp1/svn %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% /var/log/audit/audit.log: ========================= type=AVC msg=audit(1201975689.832:2302): avc: denied { search } for pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 scontext=unconfined_u: system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 syscall=5 success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 ppid=22104 pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u: system_r:httpd_t:s0 key=(null) sealert: Summary SELinux is preventing access to files with the default label, default_t. Detailed Description SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: "touch /.autorelabel; reboot" Additional Information Source Context unconfined_u:system_r:httpd_t:s0 Target Context system_u:object_r:default_t:s0 Target Objects None [ dir ] Affected RPM Packages httpd-2.2.6-3 [application] Policy RPM selinux-policy-3.0.8-81.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.default Host Name xxxxx.cdkkt.com Platform Linux xxxxx.cdkkt.com 2.6.23.14-107.fc8 #1 SMP Mon Jan 14 21:37:30 EST 2008 i686 i686 Alert Count 5 First Seen Fri 01 Feb 2008 02:03:45 PM PST Last Seen Sat 02 Feb 2008 10:10:33 AM PST Local ID 8cb35e21-1c2c-45cf-ac9d-18152da60a1b Line Numbers Raw Audit Messages avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48 exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 name=/ pid=22109 scontext=unconfined_u:system_r:httpd_t:s0 sgid=48 subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% /var/log/httpd/access_log: ========================= 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2" 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800] "PROPFIND /svn/projects/ !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) neon/0.27.2" /var/log/httpd/error_log: ========================= [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. [id "960015"] [msg "Request Missing an Accept Header"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"] [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against "REQUEST_METHOD" required. [id "960032"] [msg "Method is not allowed by policy"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"] [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: Access allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"] [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\ s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\ \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid HTTP Request Line"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects/!svn/vcc/default"] [unique_id "jsfGswoBAI8AAFWRHLgAAAAC"]
