On Mon, 2008-02-04 at 07:51 -0800, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Daniel B. Thurman wrote: > > Daniel J Walsh wrote: > > Daniel B. Thurman wrote: > >>>> It seems that I am having a bit of a problem with SElinux, > >>>> Apache, and Subversion in the way that I have my subversion > >>>> respository located not in the "recommended" place. > >>>> > >>>> Instead of putting the repository in the recommended place: > >>>> /var/www/svn for example, docs says you can put the repository > >>>> elsewhere by adding SVNParentPath=/my/place/svn entry into the > >>>> /etc/httpd/conf.d/subversion.conf file, but SELinux does not > >>>> like it. I did changed the svn repository directory/files with > >>>> context httpd_sys_context_t and with ownership of apache.apache. > >>>> I also created a link such as /var/www/svn -> /my/svn setting > >>>> SVNParentPath=/var/www/svn - it does not work as well. > >>>> > >>>> I have tested to see if SELinux is blocking access by setting > >>>> setenforce 0, then opened up the firefox browser, entered > >>>> my user name and password and it worked, but setting setenforce > 1 > >>>> back, breaks it again. > >>>> > >>>> Does anyone know how to do it - beside recommending that I > >>>> place the svn repository directly into /var/www/svn? > >>>> > >>>> Thanks- > >>>> Dan > >>>> > > What avc messages are you seeing? /var/log/audit/audit.log > > > I left intact the above and did not snip it because for some > > reason, Daniel Walsh has encapsulated it with PGP? Dunno, > > beats me. > > You need to fix the context on the entire path. > > /my/place/svn > > # semanage fcontext -a -t httpd_sys_content_t '/my(/.*)?' > # restorecon -R -v /my > Thanks Dan! This will resolve the SELinux issues when you svn repository is not in the /var/www location! As for the rest of the problems encountered with Apache and Mod_Security, I have found a link explaining how to configure Mod_Security, Trac, and SVN on F8: http://fedora-on-dell-laptop.rationalplanet.com/index.php/topic,28.0/prev_next,prev.html#new Cheers! Dan > > > The following has to do with problems encountered while setting > > up Apache and SubVersion. > > > 1) If I do not install my SVN Repository to the recommened > > place of /var/www/ directory, SELinux blocks access. > > It does not matter if I have set the proper context > > (httpd_sys_content_t), and directory/file ownerships > > (apache.apache) SElinux does not complain if the repository > > is in /var/www. The SELinux error logs are provided for > > further examination by those who cares. > > 2) When I have properly configured my > > /etc/httpd/conf.d/subversion.conf file for access levels and > > permissions, I can go to my favorite browser, type in: > > http://localhost/svn (or whatever you set Location to). and it > > will prompt me for username and password, and will let me > > browse the SVN tree. > > > My problem comes in when I do NOT use my browser, but > > instead use the command line, or try to access the SVN > > repository remotely or via Eclipse. None of these attempts > > work. For me, it *always* results in a ModSecurity error. > > > I can however access my repository via file:/// access, I > > just cannot do with with http:// I have tested with setenforce > > and SELinux has nothing to do with this case as there is no > > audit log reports either way. > > > > + svn list file:///var/www/svn/projects [SUCCESSFUL] > > ===================================================== > > branches/ > > tags/ > > trunk/ > > > + svn list file:///fapp1/svn/projects [SUCCESSFUL] > > ================================================== > > branches/ > > tags/ > > trunk/ > > > + svn list http://127.0.0.1/svn/projects [FAILURE] > > Note: you can use localhost or your FQDN - it still fails. > > ========================================================== > > svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default' > > svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad > > Request (http://127.0.0.1) > > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > NOTE: The following SELinux data appears ONLY if SVN respository > > is NOT in /var/www/svn directory, in my case > above: /fapp1/svn > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > /var/log/audit/audit.log: > > ========================= > > type=AVC msg=audit(1201975689.832:2302): avc: denied { search } > for > > pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 > scontext=unconfined_u: > > system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 > tclass=dir > > type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 > syscall=5 > > success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 > ppid=22104 > > pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 > sgid=48 > > fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" > subj=unconfined_u: > > system_r:httpd_t:s0 key=(null) > > > sealert: > > Summary > > SELinux is preventing access to files with the default label, > default_t. > > > Detailed Description > > SELinux permission checks on files labeled default_t are being > denied. > > These files/directories have the default label on them. This > can indicate > > a labeling problem, especially if the files being referred to > are not top > > level directories. Any files/directories under standard system > directories, > > /usr, /var. /dev, /tmp, ..., should not be labeled with the > default label. > > The default label is for files/directories which do not have a > label on a > > parent directory. So if you create a new directory in / you > might > > legitimately get this label. > > > Allowing Access > > If you want a confined domain to use these files you will > probably need to > > relabel the file/directory with chcon. In some cases it is just > easier to > > relabel the system, to relabel execute: "touch /.autorelabel; > reboot" > > > Additional Information > > > Source Context unconfined_u:system_r:httpd_t:s0 > > Target Context system_u:object_r:default_t:s0 > > Target Objects None [ dir ] > > Affected RPM Packages httpd-2.2.6-3 [application] > > Policy RPM selinux-policy-3.0.8-81.fc8 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name plugins.default > > Host Name xxxxx.cdkkt.com > > Platform Linux xxxxx.cdkkt.com > 2.6.23.14-107.fc8 #1 SMP Mon > > Jan 14 21:37:30 EST 2008 i686 i686 > > Alert Count 5 > > First Seen Fri 01 Feb 2008 02:03:45 PM PST > > Last Seen Sat 02 Feb 2008 10:10:33 AM PST > > Local ID 8cb35e21-1c2c-45cf-ac9d-18152da60a1b > > Line Numbers > > > Raw Audit Messages > > > avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48 > > exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 > > name=/ pid=22109 > > scontext=unconfined_u:system_r:httpd_t:s0 sgid=48 > > subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir > > tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48 > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > > /var/log/httpd/access_log: > > ========================= > > 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects > > HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2" > > 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800] > "PROPFIND /svn/projects/ > > !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) > neon/0.27.2" > > > > /var/log/httpd/error_log: > > ========================= > > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: > > Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" > required. > > [id "960015"] [msg "Request Missing an Accept Header"] [severity > > "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] > > [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"] > > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: > > Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against > > "REQUEST_METHOD" required. [id "960032"] [msg "Method is not > > allowed by policy"] [severity "CRITICAL"] [hostname > "xxxxx.cdkkt.com"] > > [uri "/svn/projects"] [unique_id > > "jsS@1goBAI8AAFWPHK8AAAAA"] > > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: > Access > > allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at > REQUEST_METHOD. > > [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id > > "jsS@1goBAI8AAFWPHK8AAAAA"] > > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: > > Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\ > \\\ > > s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\ > \\w > > \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\ > \d\\\ > > \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg > "Invalid > > HTTP Request Line"] [severity "CRITICAL"] [hostname > "xxxxx.cdkkt.com"] > > [uri "/svn/projects/!svn/vcc/default"] [unique_id > "jsfGswoBAI8AAFWRHLgAAAAC"] > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iEYEARECAAYFAkenNGYACgkQrlYvE4MpobOROgCdEwBsId1GO4pkV6tEpsRr3Iib > fn4AniFEf4NVpAIsKiM5BORQAUVokO6e > =W+Zw > -----END PGP SIGNATURE----- > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list > > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.516 / Virus Database: 269.19.19/1257 - Release Date: > 2/3/2008 5:49 PM > >
