[F8] SELinux, Apache and Subversion problem.
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 4 15:51:02 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel B. Thurman wrote:
> Daniel J Walsh wrote:
> Daniel B. Thurman wrote:
>>>> It seems that I am having a bit of a problem with SElinux,
>>>> Apache, and Subversion in the way that I have my subversion
>>>> respository located not in the "recommended" place.
>>>>
>>>> Instead of putting the repository in the recommended place:
>>>> /var/www/svn for example, docs says you can put the repository
>>>> elsewhere by adding SVNParentPath=/my/place/svn entry into the
>>>> /etc/httpd/conf.d/subversion.conf file, but SELinux does not
>>>> like it. I did changed the svn repository directory/files with
>>>> context httpd_sys_context_t and with ownership of apache.apache.
>>>> I also created a link such as /var/www/svn -> /my/svn setting
>>>> SVNParentPath=/var/www/svn - it does not work as well.
>>>>
>>>> I have tested to see if SELinux is blocking access by setting
>>>> setenforce 0, then opened up the firefox browser, entered
>>>> my user name and password and it worked, but setting setenforce 1
>>>> back, breaks it again.
>>>>
>>>> Does anyone know how to do it - beside recommending that I
>>>> place the svn repository directly into /var/www/svn?
>>>>
>>>> Thanks-
>>>> Dan
>>>>
> What avc messages are you seeing? /var/log/audit/audit.log
> I left intact the above and did not snip it because for some
> reason, Daniel Walsh has encapsulated it with PGP? Dunno,
> beats me.
You need to fix the context on the entire path.
/my/place/svn
# semanage fcontext -a -t httpd_sys_content_t '/my(/.*)?'
# restorecon -R -v /my
> The following has to do with problems encountered while setting
> up Apache and SubVersion.
> 1) If I do not install my SVN Repository to the recommened
> place of /var/www/ directory, SELinux blocks access.
> It does not matter if I have set the proper context
> (httpd_sys_content_t), and directory/file ownerships
> (apache.apache) SElinux does not complain if the repository
> is in /var/www. The SELinux error logs are provided for
> further examination by those who cares.
> 2) When I have properly configured my
> /etc/httpd/conf.d/subversion.conf file for access levels and
> permissions, I can go to my favorite browser, type in:
> http://localhost/svn (or whatever you set Location to). and it
> will prompt me for username and password, and will let me
> browse the SVN tree.
> My problem comes in when I do NOT use my browser, but
> instead use the command line, or try to access the SVN
> repository remotely or via Eclipse. None of these attempts
> work. For me, it *always* results in a ModSecurity error.
> I can however access my repository via file:/// access, I
> just cannot do with with http:// I have tested with setenforce
> and SELinux has nothing to do with this case as there is no
> audit log reports either way.
> + svn list file:///var/www/svn/projects [SUCCESSFUL]
> =====================================================
> branches/
> tags/
> trunk/
> + svn list file:///fapp1/svn/projects [SUCCESSFUL]
> ==================================================
> branches/
> tags/
> trunk/
> + svn list http://127.0.0.1/svn/projects [FAILURE]
> Note: you can use localhost or your FQDN - it still fails.
> ==========================================================
> svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default'
> svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad
> Request (http://127.0.0.1)
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> NOTE: The following SELinux data appears ONLY if SVN respository
> is NOT in /var/www/svn directory, in my case above: /fapp1/svn
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> /var/log/audit/audit.log:
> =========================
> type=AVC msg=audit(1201975689.832:2302): avc: denied { search } for
> pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 scontext=unconfined_u:
> system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
> type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 syscall=5
> success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 ppid=22104
> pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:
> system_r:httpd_t:s0 key=(null)
> sealert:
> Summary
> SELinux is preventing access to files with the default label, default_t.
> Detailed Description
> SELinux permission checks on files labeled default_t are being denied.
> These files/directories have the default label on them. This can indicate
> a labeling problem, especially if the files being referred to are not top
> level directories. Any files/directories under standard system directories,
> /usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
> The default label is for files/directories which do not have a label on a
> parent directory. So if you create a new directory in / you might
> legitimately get this label.
> Allowing Access
> If you want a confined domain to use these files you will probably need to
> relabel the file/directory with chcon. In some cases it is just easier to
> relabel the system, to relabel execute: "touch /.autorelabel; reboot"
> Additional Information
> Source Context unconfined_u:system_r:httpd_t:s0
> Target Context system_u:object_r:default_t:s0
> Target Objects None [ dir ]
> Affected RPM Packages httpd-2.2.6-3 [application]
> Policy RPM selinux-policy-3.0.8-81.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.default
> Host Name xxxxx.cdkkt.com
> Platform Linux xxxxx.cdkkt.com 2.6.23.14-107.fc8 #1 SMP Mon
> Jan 14 21:37:30 EST 2008 i686 i686
> Alert Count 5
> First Seen Fri 01 Feb 2008 02:03:45 PM PST
> Last Seen Sat 02 Feb 2008 10:10:33 AM PST
> Local ID 8cb35e21-1c2c-45cf-ac9d-18152da60a1b
> Line Numbers
> Raw Audit Messages
> avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48
> exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0
> name=/ pid=22109
> scontext=unconfined_u:system_r:httpd_t:s0 sgid=48
> subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir
> tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48
> %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> /var/log/httpd/access_log:
> =========================
> 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects
> HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2"
> 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800] "PROPFIND /svn/projects/
> !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) neon/0.27.2"
> /var/log/httpd/error_log:
> =========================
> [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
> Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.
> [id "960015"] [msg "Request Missing an Accept Header"] [severity
> "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"]
> [unique_id "jsS at 1goBAI8AAFWPHK8AAAAA"]
> [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
> Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against
> "REQUEST_METHOD" required. [id "960032"] [msg "Method is not
> allowed by policy"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
> [uri "/svn/projects"] [unique_id
> "jsS at 1goBAI8AAFWPHK8AAAAA"]
> [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: Access
> allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD.
> [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id
> "jsS at 1goBAI8AAFWPHK8AAAAA"]
> [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity:
> Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\
> s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w
> \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\
> \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid
> HTTP Request Line"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
> [uri "/svn/projects/!svn/vcc/default"] [unique_id "jsfGswoBAI8AAFWRHLgAAAAC"]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkenNGYACgkQrlYvE4MpobOROgCdEwBsId1GO4pkV6tEpsRr3Iib
fn4AniFEf4NVpAIsKiM5BORQAUVokO6e
=W+Zw
-----END PGP SIGNATURE-----
More information about the fedora-list
mailing list