You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@subversion.apache.org by Amos Hayes <ah...@polkaroo.net> on 2004/12/09 20:58:45 UTC
Subversion on SELinux
I thought I would share this info.
I installed subversion on a Fedora Core 3 system and got as far as
mod_dav_svn returning the "Could not open the requested SVN filesystem"
error.
I hunted all over for the cause of the "Could not open the requested
SVN filesystem" and it looked like a permission problem but the folders
were owned and writable by the apache user. In the end, it turned out
to be a result of SELinux applying a default policy to the folder that
prevented apache from reading those files.
The quick solution is to use the "chcon" command to change the security
context of the svnroot folder. I ran "chcon -R -t httpd_sys_content_t
svnroot/". This recursively modifies the security context to one which,
at least on Fedora Core 3, allows the apache 2 (RPM) to have access to
that folder.
So I'm not sure if this is book worthy or not, but certainly it would
seem to me that wherever there is a discussion of setting file
permissions, there should also be a brief mention of security context
for those running on an SELinux kernel.
P.S. The apache error log had the following lines per attempted access:
[Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200]
(20014)Error string not specified yet: Can't open file
'/home/svnroot/forma
t': Permission denied
[Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
fetch resource information. [500, #0]
[Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
open the requested SVN filesystem [500, #13]
[Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
open the requested SVN filesystem [500, #13]
The system log (/var/log/messages) would have a corresponding entry
like this:
Dec 8 12:49:19 devel0 kernel: audit(1102528159.185:0): avc: denied {
read } for pid=6319 exe=/usr/sbin/httpd name=format dev=dm-0 i
no=721170 scontext=root:system_r:httpd_t
tcontext=root:object_r:user_home_t tclass=file
--
Amos Hayes
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion on SELinux
Posted by Amos Hayes <ah...@polkaroo.net>.
Thanks Henrik. That's some great info and would have quickly helped me
solve the problem had I found it.
The only problem is that you have to know that permissions are the
problem before you find that. And if you've already followed the book
very carefully and re-read the relevant section several times, then you
don't think to ask the FAQ how to do it. You already know. ;)
If one were to look in the FAQ (as I did) for the error messages (such
as "Could not open the requested SVN filesystem") you don't find
anything. The closest match is "I'm getting errors finding or opening a
repository, but I know my repository URL is correct. What's wrong?".
That doesn't mention permissions (or link to the permission question).
It talks about wedged Berkley DBs which isn't relevant to my FSFS
repository.
So, perhaps a pointer from the "I'm getting errors..." question would
be in order. Maybe the example of the "Could not open..." error could
be added to your patch somewhere so that a search would find your good
description. It could even be added as a new question on the list,
since I think that is roadblock people are first likely to look up.
I think subversion is great and the docs are super. Just trying to help
out where I can. :)
--
Amos
On 9-Dec-04, at 8:07 PM, Henrik Vendelbo wrote:
> We just updated the FAQ on the site a couple of days ago describing
> this. I
> posted a patch with additional info recently.
>
> ----- Original Message -----
> From: "Amos Hayes" <ah...@polkaroo.net>
> To: <us...@subversion.tigris.org>
> Sent: Thursday, December 09, 2004 8:58 PM
> Subject: Subversion on SELinux
>
>
>> I thought I would share this info.
>>
>> I installed subversion on a Fedora Core 3 system and got as far as
>> mod_dav_svn returning the "Could not open the requested SVN
>> filesystem"
>> error.
>>
>> I hunted all over for the cause of the "Could not open the requested
>> SVN filesystem" and it looked like a permission problem but the
>> folders
>> were owned and writable by the apache user. In the end, it turned out
>> to be a result of SELinux applying a default policy to the folder that
>> prevented apache from reading those files.
>>
>> The quick solution is to use the "chcon" command to change the
>> security
>> context of the svnroot folder. I ran "chcon -R -t httpd_sys_content_t
>> svnroot/". This recursively modifies the security context to one
>> which,
>> at least on Fedora Core 3, allows the apache 2 (RPM) to have access to
>> that folder.
>>
>> So I'm not sure if this is book worthy or not, but certainly it would
>> seem to me that wherever there is a discussion of setting file
>> permissions, there should also be a brief mention of security context
>> for those running on an SELinux kernel.
>>
>> P.S. The apache error log had the following lines per attempted
>> access:
>>
>> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200]
>> (20014)Error string not specified yet: Can't open file
>> '/home/svnroot/forma
>> t': Permission denied
>> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
>> fetch resource information. [500, #0]
>> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
>> open the requested SVN filesystem [500, #13]
>> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
>> open the requested SVN filesystem [500, #13]
>>
>>
>> The system log (/var/log/messages) would have a corresponding entry
>> like this:
>>
>> Dec 8 12:49:19 devel0 kernel: audit(1102528159.185:0): avc: denied
>> {
>> read } for pid=6319 exe=/usr/sbin/httpd name=format dev=dm-0 i
>> no=721170 scontext=root:system_r:httpd_t
>> tcontext=root:object_r:user_home_t tclass=file
>>
>>
>> --
>> Amos Hayes
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
>> For additional commands, e-mail: users-help@subversion.tigris.org
>>
>>
>>
>>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Re: Subversion on SELinux
Posted by Henrik Vendelbo <hv...@bluprints.com>.
We just updated the FAQ on the site a couple of days ago describing this. I
posted a patch with additional info recently.
----- Original Message -----
From: "Amos Hayes" <ah...@polkaroo.net>
To: <us...@subversion.tigris.org>
Sent: Thursday, December 09, 2004 8:58 PM
Subject: Subversion on SELinux
> I thought I would share this info.
>
> I installed subversion on a Fedora Core 3 system and got as far as
> mod_dav_svn returning the "Could not open the requested SVN filesystem"
> error.
>
> I hunted all over for the cause of the "Could not open the requested
> SVN filesystem" and it looked like a permission problem but the folders
> were owned and writable by the apache user. In the end, it turned out
> to be a result of SELinux applying a default policy to the folder that
> prevented apache from reading those files.
>
> The quick solution is to use the "chcon" command to change the security
> context of the svnroot folder. I ran "chcon -R -t httpd_sys_content_t
> svnroot/". This recursively modifies the security context to one which,
> at least on Fedora Core 3, allows the apache 2 (RPM) to have access to
> that folder.
>
> So I'm not sure if this is book worthy or not, but certainly it would
> seem to me that wherever there is a discussion of setting file
> permissions, there should also be a brief mention of security context
> for those running on an SELinux kernel.
>
> P.S. The apache error log had the following lines per attempted access:
>
> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200]
> (20014)Error string not specified yet: Can't open file
> '/home/svnroot/forma
> t': Permission denied
> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
> fetch resource information. [500, #0]
> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
> open the requested SVN filesystem [500, #13]
> [Wed Dec 08 12:49:19 2004] [error] [client 134.117.194.200] Could not
> open the requested SVN filesystem [500, #13]
>
>
> The system log (/var/log/messages) would have a corresponding entry
> like this:
>
> Dec 8 12:49:19 devel0 kernel: audit(1102528159.185:0): avc: denied {
> read } for pid=6319 exe=/usr/sbin/httpd name=format dev=dm-0 i
> no=721170 scontext=root:system_r:httpd_t
> tcontext=root:object_r:user_home_t tclass=file
>
>
> --
> Amos Hayes
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org