[F8] SELinux, Apache and Subversion problem.

Daniel B. Thurman dant at cdkkt.com
Sat Feb 2 23:25:53 UTC 2008

Daniel J Walsh wrote:
> Hash: SHA1
> Daniel B. Thurman wrote:
> > It seems that I am having a bit of a problem with SElinux,
> > Apache, and Subversion in the way that I have my subversion
> > respository located not in the "recommended" place.
> > 
> > Instead of putting the repository in the recommended place:
> > /var/www/svn for example, docs says you can put the repository
> > elsewhere by adding SVNParentPath=/my/place/svn entry into the
> > /etc/httpd/conf.d/subversion.conf file, but SELinux does not
> > like it. I did changed the svn repository directory/files with
> > context httpd_sys_context_t and with ownership of apache.apache.
> > I also created a link such as /var/www/svn -> /my/svn setting
> > SVNParentPath=/var/www/svn - it does not work as well.
> > 
> > I have tested to see if SELinux is blocking access by setting
> >  setenforce 0, then opened up the firefox browser, entered
> > my user name and password and it worked, but setting setenforce 1
> > back, breaks it again.
> > 
> > Does anyone know how to do it - beside recommending that I
> > place the svn repository directly into /var/www/svn?
> > 
> > Thanks-
> > Dan
> > 
> What avc messages are you seeing?  /var/log/audit/audit.log
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> gkMAnRMk+V60i7RQkSANWpjYf3cmQhOX
> =qXQd

I left intact the above and did not snip it because for some
reason, Daniel Walsh has encapsulated it with PGP?  Dunno,
beats me.

The following has to do with problems encountered while setting
up Apache and SubVersion.

1) If I do not install my SVN Repository to the recommened
   place of /var/www/ directory, SELinux blocks access.
   It does not matter if I have set the proper context
   (httpd_sys_content_t), and directory/file ownerships
   (apache.apache)  SElinux does not complain if the repository
   is in /var/www.  The SELinux error logs are provided for
   further examination by those who cares.

2) When I have properly configured my
   /etc/httpd/conf.d/subversion.conf file for access levels and
   permissions, I can go to my favorite browser, type in:
   http://localhost/svn (or whatever you set Location to). and it
   will prompt me for username and password, and will let me
   browse the SVN tree.

   My problem comes in when I do NOT use my browser, but
   instead use the command line, or try to access the SVN
   repository remotely or via Eclipse. None of these attempts
   work. For me, it *always* results in a ModSecurity error.

   I can however access my repository via file:/// access, I
   just cannot do with with http://  I have tested with setenforce
   and SELinux has nothing to do with this case as there is no
   audit log reports either way.

+ svn list file:///var/www/svn/projects  [SUCCESSFUL]

+ svn list file:///fapp1/svn/projects [SUCCESSFUL]

+ svn list [FAILURE]
Note: you can use localhost or your FQDN - it still fails.
svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default'
svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad
     Request (

NOTE: The following SELinux data appears ONLY if SVN respository
      is NOT in /var/www/svn directory, in my case above: /fapp1/svn
type=AVC msg=audit(1201975689.832:2302): avc:  denied  { search } for
pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 scontext=unconfined_u:
system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 syscall=5
success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 ppid=22104
pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:
system_r:httpd_t:s0 key=(null)

    SELinux is preventing access to files with the default label, default_t.

Detailed Description
    SELinux permission checks on files labeled default_t are being denied.
    These files/directories have the default label on them.  This can indicate
    a labeling problem, especially if the files being referred to  are not top
    level directories. Any files/directories under standard system directories,
    /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
    The default label is for files/directories which do not have a label on a
    parent directory. So if you create a new directory in / you might
    legitimately get this label.

Allowing Access
    If you want a confined domain to use these files you will probably need to
    relabel the file/directory with chcon. In some cases it is just easier to
    relabel the system, to relabel execute: "touch /.autorelabel; reboot"

Additional Information        

Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:default_t:s0
Target Objects                None [ dir ]
Affected RPM Packages         httpd-2.2.6-3 [application]
Policy RPM                    selinux-policy-3.0.8-81.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.default
Host Name                     xxxxx.cdkkt.com
Platform                      Linux xxxxx.cdkkt.com #1 SMP Mon
                              Jan 14 21:37:30 EST 2008 i686 i686
Alert Count                   5
First Seen                    Fri 01 Feb 2008 02:03:45 PM PST
Last Seen                     Sat 02 Feb 2008 10:10:33 AM PST
Local ID                      8cb35e21-1c2c-45cf-ac9d-18152da60a1b
Line Numbers                  

Raw Audit Messages            

avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48
exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 
    name=/ pid=22109
scontext=unconfined_u:system_r:httpd_t:s0 sgid=48
subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48

========================= - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects
   HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2" - - [02/Feb/2008:09:52:43 -0800] "PROPFIND /svn/projects/
   !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) neon/0.27.2"

[Sat Feb 02 09:52:42 2008] [error] [client] ModSecurity:
   Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.
   [id "960015"] [msg "Request Missing an Accept Header"] [severity
   "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"]
   [unique_id "jsS at 1goBAI8AAFWPHK8AAAAA"]
[Sat Feb 02 09:52:42 2008] [error] [client] ModSecurity:
   Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against
   "REQUEST_METHOD" required. [id "960032"] [msg "Method is not
   allowed by policy"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
   [uri "/svn/projects"] [unique_id
   "jsS at 1goBAI8AAFWPHK8AAAAA"]
[Sat Feb 02 09:52:43 2008] [error] [client] ModSecurity: Access
   allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD.
   [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id
   "jsS at 1goBAI8AAFWPHK8AAAAA"]
[Sat Feb 02 09:52:43 2008] [error] [client] ModSecurity:
   Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\
   \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid
   HTTP Request Line"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
   [uri "/svn/projects/!svn/vcc/default"] [unique_id "jsfGswoBAI8AAFWRHLgAAAAC"]

More information about the fedora-list mailing list