You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Jason Hunt <xf...@gmail.com> on 2005/03/09 05:59:34 UTC
SELinux (FC3), Subversion, & Apache - Newbie question
Hello All,
I am having troubles with getting subversion to run appropriately
over WebDAV via Apache. Below are the steps I took to replicate the
problem.
I installed FC3, apache2, subversion (1.1.2), and mod_dav_svn.
While logged in as root I performed the following:
1) issue the 'mkdir /home/svnroot'
2) issue the 'mkdir /home/svnroot/conf'
3) issue the svnadmin create '/home/svnroot/test' command.
4) issue the 'svn import /home/username/projectname
file:///home/svnroot/test -m "initial import"' command
5) edit the httpd.conf file as follows:
LoadModule dav_module modules/mod_dav.so
LoadModule dav_svn_module modules/mod_dav_svn.so
<VirtualHost *:80>
ServerAdmin me@email.com
ErrorLog logs/server-error_log
CustomLog logs/server-access_log common
<Location /svn>
DAV svn
SVNParentPath /home/svnhome
AuthType Basic
AuthName "Subversion repositories"
AuthUserFile /home/svnhome/conf/svnpasswd
Require valid-user
</Location>
</VirtualHost>
6) create the svnpasswd file 'htpasswd -cm
/home/svnroot/conf/svnpasswd username' then enter their password.
7) issue the 'chcon -R -h -t httpd_user_content_t /home/svnroot' command.
8) restart apache ('service httpd restart')
All of this works fine.
When I try and access the repository using IE
(http://192.168.0.199/svn) on my Windows workstation, I receive the
prompt to enter my credentials and the following error finds its way
into the logs:
avc: denied { read } for pid=12536 exe=/usr/sbin/httpd name=home
dev=dm-0 ino=23 scontext=root:system_r:httpd_t
tcontext=root:object_r:root_t tclass=lnk_file
I know that I have seen this error in the mailing list, but I am too
newbie to understand what the error is telling me I need to do to
correct this problem. I am having the feeling that the access is being
stopped at the /home directory and not even getting to the
/home/svnroot directory, but I am not certain how to fix the problem
effectively. Any help to correct this would be appreciated.
Jason Hunt
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SELinux (FC3), Subversion, & Apache - Newbie question
Posted by Martin Tomes <li...@tomes.org>.
Jason Hunt wrote:
> Hello All,
> I am having troubles with getting subversion to run appropriately
> over WebDAV via Apache. Below are the steps I took to replicate the
> problem.
> avc: denied { read } for pid=12536 exe=/usr/sbin/httpd name=home
> dev=dm-0 ino=23 scontext=root:system_r:httpd_t
> tcontext=root:object_r:root_t tclass=lnk_file
Take a look in /etc/selinux/config and if SELINUX=Permissive then you
are not in enforcing mode and can ignore the message. Permissive means
selinux is installed and running but being ignored. It will also add a
log message whenever it would have denied something.
If SELINUX=Enforcing then the selinux access rules will be enforced by
the system and you need to do something about this.
This is a big subject! If you really wish to understand this and
military security level is required then you will have to buy this book:
http://tinyurl.com/5tznw
There is some information on the Fedora site about Fedora and selinux.
My guess from the message is that /home is a link and httpd which is in
the context root:system_r:httpd_t is not permitted to read the link
which is labelled as root:object_r:root_t. If you were to relabel the
/home link to be httpd_user_content_t is might work - but my guess is
that you would then break other things.
Try moving the repository to a path which doesn't have a symlink in it -
i.e., look at what /home is pointing to and use that path in your
httpd.conf. If that's no good try creating a repo in the root file
system and labelling it using the chcon command and see if you can
access that without errors.
--
Martin Tomes
echo 'martin at tomes x org x uk'\
| sed -e 's/ x /\./g' -e 's/ at /@/'
The Subversion Wiki is at http://www.subversionary.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: SELinux (FC3), Subversion, & Apache - Newbie question
Posted by kf...@collab.net.
Jason Hunt <xf...@gmail.com> writes:
> Hello All,
> I am having troubles with getting subversion to run appropriately
> over WebDAV via Apache. Below are the steps I took to replicate the
> problem.
Jason,
I saw the word "SELinux" and remembered that there are some items in
our FAQ (http://subversion.tigris.org/faq.html) about "selinux". Take
a look there.
-Karl
> I installed FC3, apache2, subversion (1.1.2), and mod_dav_svn.
>
> While logged in as root I performed the following:
> 1) issue the 'mkdir /home/svnroot'
> 2) issue the 'mkdir /home/svnroot/conf'
> 3) issue the svnadmin create '/home/svnroot/test' command.
> 4) issue the 'svn import /home/username/projectname
> file:///home/svnroot/test -m "initial import"' command
> 5) edit the httpd.conf file as follows:
>
> LoadModule dav_module modules/mod_dav.so
> LoadModule dav_svn_module modules/mod_dav_svn.so
>
> <VirtualHost *:80>
> ServerAdmin me@email.com
> ErrorLog logs/server-error_log
> CustomLog logs/server-access_log common
>
> <Location /svn>
> DAV svn
> SVNParentPath /home/svnhome
>
> AuthType Basic
> AuthName "Subversion repositories"
> AuthUserFile /home/svnhome/conf/svnpasswd
> Require valid-user
> </Location>
> </VirtualHost>
> 6) create the svnpasswd file 'htpasswd -cm
> /home/svnroot/conf/svnpasswd username' then enter their password.
> 7) issue the 'chcon -R -h -t httpd_user_content_t /home/svnroot' command.
> 8) restart apache ('service httpd restart')
>
> All of this works fine.
>
> When I try and access the repository using IE
> (http://192.168.0.199/svn) on my Windows workstation, I receive the
> prompt to enter my credentials and the following error finds its way
> into the logs:
>
> avc: denied { read } for pid=12536 exe=/usr/sbin/httpd name=home
> dev=dm-0 ino=23 scontext=root:system_r:httpd_t
> tcontext=root:object_r:root_t tclass=lnk_file
>
> I know that I have seen this error in the mailing list, but I am too
> newbie to understand what the error is telling me I need to do to
> correct this problem. I am having the feeling that the access is being
> stopped at the /home directory and not even getting to the
> /home/svnroot directory, but I am not certain how to fix the problem
> effectively. Any help to correct this would be appreciated.
>
> Jason Hunt
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org