Re: [F8] SELinux, Apache and Subversion problem.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel B. Thurman wrote:
> Daniel J Walsh wrote:
> Daniel B. Thurman wrote:
>>>> It seems that I am having a bit of a problem with SElinux,
>>>> Apache, and Subversion in the way that I have my subversion
>>>> respository located not in the "recommended" place.
>>>>
>>>> Instead of putting the repository in the recommended place:
>>>> /var/www/svn for example, docs says you can put the repository
>>>> elsewhere by adding SVNParentPath=/my/place/svn entry into the
>>>> /etc/httpd/conf.d/subversion.conf file, but SELinux does not
>>>> like it. I did changed the svn repository directory/files with
>>>> context httpd_sys_context_t and with ownership of apache.apache.
>>>> I also created a link such as /var/www/svn -> /my/svn setting
>>>> SVNParentPath=/var/www/svn - it does not work as well.
>>>>
>>>> I have tested to see if SELinux is blocking access by setting
>>>>  setenforce 0, then opened up the firefox browser, entered
>>>> my user name and password and it worked, but setting setenforce 1
>>>> back, breaks it again.
>>>>
>>>> Does anyone know how to do it - beside recommending that I
>>>> place the svn repository directly into /var/www/svn?
>>>>
>>>> Thanks-
>>>> Dan
>>>>
> What avc messages are you seeing?  /var/log/audit/audit.log

> I left intact the above and did not snip it because for some
> reason, Daniel Walsh has encapsulated it with PGP?  Dunno,
> beats me.

You need to fix the context on the entire path.

/my/place/svn

# semanage fcontext -a -t httpd_sys_content_t '/my(/.*)?'
# restorecon -R -v /my


> The following has to do with problems encountered while setting
> up Apache and SubVersion.

> 1) If I do not install my SVN Repository to the recommened
>    place of /var/www/ directory, SELinux blocks access.
>    It does not matter if I have set the proper context
>    (httpd_sys_content_t), and directory/file ownerships
>    (apache.apache)  SElinux does not complain if the repository
>    is in /var/www.  The SELinux error logs are provided for
>    further examination by those who cares.

> 2) When I have properly configured my
>    /etc/httpd/conf.d/subversion.conf file for access levels and
>    permissions, I can go to my favorite browser, type in:
>    http://localhost/svn (or whatever you set Location to). and it
>    will prompt me for username and password, and will let me
>    browse the SVN tree.

>    My problem comes in when I do NOT use my browser, but
>    instead use the command line, or try to access the SVN
>    repository remotely or via Eclipse. None of these attempts
>    work. For me, it *always* results in a ModSecurity error.

>    I can however access my repository via file:/// access, I
>    just cannot do with with http://  I have tested with setenforce
>    and SELinux has nothing to do with this case as there is no
>    audit log reports either way.


> + svn list file:///var/www/svn/projects  [SUCCESSFUL]
> =====================================================
> branches/
> tags/
> trunk/

> + svn list file:///fapp1/svn/projects [SUCCESSFUL]
> ==================================================
> branches/
> tags/
> trunk/

> + svn list http://127.0.0.1/svn/projects [FAILURE]
> Note: you can use localhost or your FQDN - it still fails.
> ==========================================================
> svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default'
> svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad
>      Request (http://127.0.0.1)

> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> NOTE: The following SELinux data appears ONLY if SVN respository
>       is NOT in /var/www/svn directory, in my case above: /fapp1/svn
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> /var/log/audit/audit.log:
> =========================
> type=AVC msg=audit(1201975689.832:2302): avc:  denied  { search } for
> pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 scontext=unconfined_u:
> system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
> type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 syscall=5
> success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 ppid=22104
> pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:
> system_r:httpd_t:s0 key=(null)

> sealert:
> Summary
>     SELinux is preventing access to files with the default label, default_t.

> Detailed Description
>     SELinux permission checks on files labeled default_t are being denied.
>     These files/directories have the default label on them.  This can indicate
>     a labeling problem, especially if the files being referred to  are not top
>     level directories. Any files/directories under standard system directories,
>     /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
>     The default label is for files/directories which do not have a label on a
>     parent directory. So if you create a new directory in / you might
>     legitimately get this label.

> Allowing Access
>     If you want a confined domain to use these files you will probably need to
>     relabel the file/directory with chcon. In some cases it is just easier to
>     relabel the system, to relabel execute: "touch /.autorelabel; reboot"

> Additional Information        

> Source Context                unconfined_u:system_r:httpd_t:s0
> Target Context                system_u:object_r:default_t:s0
> Target Objects                None [ dir ]
> Affected RPM Packages         httpd-2.2.6-3 [application]
> Policy RPM                    selinux-policy-3.0.8-81.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.default
> Host Name                     xxxxx.cdkkt.com
> Platform                      Linux xxxxx.cdkkt.com 2.6.23.14-107.fc8 #1 SMP Mon
>                               Jan 14 21:37:30 EST 2008 i686 i686
> Alert Count                   5
> First Seen                    Fri 01 Feb 2008 02:03:45 PM PST
> Last Seen                     Sat 02 Feb 2008 10:10:33 AM PST
> Local ID                      8cb35e21-1c2c-45cf-ac9d-18152da60a1b
> Line Numbers                  

> Raw Audit Messages            

> avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48
> exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 
>     name=/ pid=22109
> scontext=unconfined_u:system_r:httpd_t:s0 sgid=48
> subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir
> tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

> /var/log/httpd/access_log:
> =========================
> 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects
>    HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2"
> 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800] "PROPFIND /svn/projects/
>    !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) neon/0.27.2"


> /var/log/httpd/error_log:
> =========================
> [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
>    Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.
>    [id "960015"] [msg "Request Missing an Accept Header"] [severity
>    "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"]
>    [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"]
> [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
>    Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against
>    "REQUEST_METHOD" required. [id "960032"] [msg "Method is not
>    allowed by policy"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
>    [uri "/svn/projects"] [unique_id
>    "jsS@1goBAI8AAFWPHK8AAAAA"]
> [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: Access
>    allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD.
>    [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id
>    "jsS@1goBAI8AAFWPHK8AAAAA"]
> [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity:
>    Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\
>    s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w
>    \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\
>    \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid
>    HTTP Request Line"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
>    [uri "/svn/projects/!svn/vcc/default"] [unique_id "jsfGswoBAI8AAFWRHLgAAAAC"]


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkenNGYACgkQrlYvE4MpobOROgCdEwBsId1GO4pkV6tEpsRr3Iib
fn4AniFEf4NVpAIsKiM5BORQAUVokO6e
=W+Zw
-----END PGP SIGNATURE-----


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux