-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Daniel B. Thurman wrote: > Daniel J Walsh wrote: > Daniel B. Thurman wrote: >>>> It seems that I am having a bit of a problem with SElinux, >>>> Apache, and Subversion in the way that I have my subversion >>>> respository located not in the "recommended" place. >>>> >>>> Instead of putting the repository in the recommended place: >>>> /var/www/svn for example, docs says you can put the repository >>>> elsewhere by adding SVNParentPath=/my/place/svn entry into the >>>> /etc/httpd/conf.d/subversion.conf file, but SELinux does not >>>> like it. I did changed the svn repository directory/files with >>>> context httpd_sys_context_t and with ownership of apache.apache. >>>> I also created a link such as /var/www/svn -> /my/svn setting >>>> SVNParentPath=/var/www/svn - it does not work as well. >>>> >>>> I have tested to see if SELinux is blocking access by setting >>>> setenforce 0, then opened up the firefox browser, entered >>>> my user name and password and it worked, but setting setenforce 1 >>>> back, breaks it again. >>>> >>>> Does anyone know how to do it - beside recommending that I >>>> place the svn repository directly into /var/www/svn? >>>> >>>> Thanks- >>>> Dan >>>> > What avc messages are you seeing? /var/log/audit/audit.log > I left intact the above and did not snip it because for some > reason, Daniel Walsh has encapsulated it with PGP? Dunno, > beats me. You need to fix the context on the entire path. /my/place/svn # semanage fcontext -a -t httpd_sys_content_t '/my(/.*)?' # restorecon -R -v /my > The following has to do with problems encountered while setting > up Apache and SubVersion. > 1) If I do not install my SVN Repository to the recommened > place of /var/www/ directory, SELinux blocks access. > It does not matter if I have set the proper context > (httpd_sys_content_t), and directory/file ownerships > (apache.apache) SElinux does not complain if the repository > is in /var/www. The SELinux error logs are provided for > further examination by those who cares. > 2) When I have properly configured my > /etc/httpd/conf.d/subversion.conf file for access levels and > permissions, I can go to my favorite browser, type in: > http://localhost/svn (or whatever you set Location to). and it > will prompt me for username and password, and will let me > browse the SVN tree. > My problem comes in when I do NOT use my browser, but > instead use the command line, or try to access the SVN > repository remotely or via Eclipse. None of these attempts > work. For me, it *always* results in a ModSecurity error. > I can however access my repository via file:/// access, I > just cannot do with with http:// I have tested with setenforce > and SELinux has nothing to do with this case as there is no > audit log reports either way. > + svn list file:///var/www/svn/projects [SUCCESSFUL] > ===================================================== > branches/ > tags/ > trunk/ > + svn list file:///fapp1/svn/projects [SUCCESSFUL] > ================================================== > branches/ > tags/ > trunk/ > + svn list http://127.0.0.1/svn/projects [FAILURE] > Note: you can use localhost or your FQDN - it still fails. > ========================================================== > svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default' > svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad > Request (http://127.0.0.1) > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > NOTE: The following SELinux data appears ONLY if SVN respository > is NOT in /var/www/svn directory, in my case above: /fapp1/svn > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > /var/log/audit/audit.log: > ========================= > type=AVC msg=audit(1201975689.832:2302): avc: denied { search } for > pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 scontext=unconfined_u: > system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir > type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 syscall=5 > success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 ppid=22104 > pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 > fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u: > system_r:httpd_t:s0 key=(null) > sealert: > Summary > SELinux is preventing access to files with the default label, default_t. > Detailed Description > SELinux permission checks on files labeled default_t are being denied. > These files/directories have the default label on them. This can indicate > a labeling problem, especially if the files being referred to are not top > level directories. Any files/directories under standard system directories, > /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. > The default label is for files/directories which do not have a label on a > parent directory. So if you create a new directory in / you might > legitimately get this label. > Allowing Access > If you want a confined domain to use these files you will probably need to > relabel the file/directory with chcon. In some cases it is just easier to > relabel the system, to relabel execute: "touch /.autorelabel; reboot" > Additional Information > Source Context unconfined_u:system_r:httpd_t:s0 > Target Context system_u:object_r:default_t:s0 > Target Objects None [ dir ] > Affected RPM Packages httpd-2.2.6-3 [application] > Policy RPM selinux-policy-3.0.8-81.fc8 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.default > Host Name xxxxx.cdkkt.com > Platform Linux xxxxx.cdkkt.com 2.6.23.14-107.fc8 #1 SMP Mon > Jan 14 21:37:30 EST 2008 i686 i686 > Alert Count 5 > First Seen Fri 01 Feb 2008 02:03:45 PM PST > Last Seen Sat 02 Feb 2008 10:10:33 AM PST > Local ID 8cb35e21-1c2c-45cf-ac9d-18152da60a1b > Line Numbers > Raw Audit Messages > avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48 > exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 > name=/ pid=22109 > scontext=unconfined_u:system_r:httpd_t:s0 sgid=48 > subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir > tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48 > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > /var/log/httpd/access_log: > ========================= > 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects > HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2" > 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800] "PROPFIND /svn/projects/ > !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) neon/0.27.2" > /var/log/httpd/error_log: > ========================= > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: > Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required. > [id "960015"] [msg "Request Missing an Accept Header"] [severity > "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] > [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"] > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: > Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against > "REQUEST_METHOD" required. [id "960032"] [msg "Method is not > allowed by policy"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"] > [uri "/svn/projects"] [unique_id > "jsS@1goBAI8AAFWPHK8AAAAA"] > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: Access > allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD. > [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id > "jsS@1goBAI8AAFWPHK8AAAAA"] > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: > Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\ > s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w > \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\ > \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid > HTTP Request Line"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"] > [uri "/svn/projects/!svn/vcc/default"] [unique_id "jsfGswoBAI8AAFWRHLgAAAAC"] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkenNGYACgkQrlYvE4MpobOROgCdEwBsId1GO4pkV6tEpsRr3Iib fn4AniFEf4NVpAIsKiM5BORQAUVokO6e =W+Zw -----END PGP SIGNATURE-----