[F8] SELinux, Apache and Subversion problem. [SOLVED]
Daniel B. Thurman
dant at cdkkt.com
Wed Feb 6 19:03:22 UTC 2008
On Mon, 2008-02-04 at 07:51 -0800, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel B. Thurman wrote:
> > Daniel J Walsh wrote:
> > Daniel B. Thurman wrote:
> >>>> It seems that I am having a bit of a problem with SElinux,
> >>>> Apache, and Subversion in the way that I have my subversion
> >>>> respository located not in the "recommended" place.
> >>>>
> >>>> Instead of putting the repository in the recommended place:
> >>>> /var/www/svn for example, docs says you can put the repository
> >>>> elsewhere by adding SVNParentPath=/my/place/svn entry into the
> >>>> /etc/httpd/conf.d/subversion.conf file, but SELinux does not
> >>>> like it. I did changed the svn repository directory/files with
> >>>> context httpd_sys_context_t and with ownership of apache.apache.
> >>>> I also created a link such as /var/www/svn -> /my/svn setting
> >>>> SVNParentPath=/var/www/svn - it does not work as well.
> >>>>
> >>>> I have tested to see if SELinux is blocking access by setting
> >>>> setenforce 0, then opened up the firefox browser, entered
> >>>> my user name and password and it worked, but setting setenforce
> 1
> >>>> back, breaks it again.
> >>>>
> >>>> Does anyone know how to do it - beside recommending that I
> >>>> place the svn repository directly into /var/www/svn?
> >>>>
> >>>> Thanks-
> >>>> Dan
> >>>>
> > What avc messages are you seeing? /var/log/audit/audit.log
>
> > I left intact the above and did not snip it because for some
> > reason, Daniel Walsh has encapsulated it with PGP? Dunno,
> > beats me.
>
> You need to fix the context on the entire path.
>
> /my/place/svn
>
> # semanage fcontext -a -t httpd_sys_content_t '/my(/.*)?'
> # restorecon -R -v /my
>
Thanks Dan! This will resolve the SELinux issues when you
svn repository is not in the /var/www location!
As for the rest of the problems encountered with Apache and
Mod_Security, I have found a link explaining how to configure
Mod_Security, Trac, and SVN on F8:
http://fedora-on-dell-laptop.rationalplanet.com/index.php/topic,28.0/prev_next,prev.html#new
Cheers!
Dan
>
> > The following has to do with problems encountered while setting
> > up Apache and SubVersion.
>
> > 1) If I do not install my SVN Repository to the recommened
> > place of /var/www/ directory, SELinux blocks access.
> > It does not matter if I have set the proper context
> > (httpd_sys_content_t), and directory/file ownerships
> > (apache.apache) SElinux does not complain if the repository
> > is in /var/www. The SELinux error logs are provided for
> > further examination by those who cares.
>
> 2) When I have properly configured my
> > /etc/httpd/conf.d/subversion.conf file for access levels and
> > permissions, I can go to my favorite browser, type in:
> > http://localhost/svn (or whatever you set Location to). and it
> > will prompt me for username and password, and will let me
> > browse the SVN tree.
>
> > My problem comes in when I do NOT use my browser, but
> > instead use the command line, or try to access the SVN
> > repository remotely or via Eclipse. None of these attempts
> > work. For me, it *always* results in a ModSecurity error.
>
> > I can however access my repository via file:/// access, I
> > just cannot do with with http:// I have tested with setenforce
> > and SELinux has nothing to do with this case as there is no
> > audit log reports either way.
>
>
> > + svn list file:///var/www/svn/projects [SUCCESSFUL]
> > =====================================================
> > branches/
> > tags/
> > trunk/
>
> > + svn list file:///fapp1/svn/projects [SUCCESSFUL]
> > ==================================================
> > branches/
> > tags/
> > trunk/
>
> > + svn list http://127.0.0.1/svn/projects [FAILURE]
> > Note: you can use localhost or your FQDN - it still fails.
> > ==========================================================
> > svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default'
> > svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad
> > Request (http://127.0.0.1)
>
> > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> > NOTE: The following SELinux data appears ONLY if SVN respository
> > is NOT in /var/www/svn directory, in my case
> above: /fapp1/svn
> > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> > /var/log/audit/audit.log:
> > =========================
> > type=AVC msg=audit(1201975689.832:2302): avc: denied { search }
> for
> > pid=22110 comm="httpd" name="/" dev=sdc1 ino=2
> scontext=unconfined_u:
> > system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0
> tclass=dir
> > type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003
> syscall=5
> > success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0
> ppid=22104
> > pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48
> > fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:
> > system_r:httpd_t:s0 key=(null)
>
> > sealert:
> > Summary
> > SELinux is preventing access to files with the default label,
> default_t.
>
> > Detailed Description
> > SELinux permission checks on files labeled default_t are being
> denied.
> > These files/directories have the default label on them. This
> can indicate
> > a labeling problem, especially if the files being referred to
> are not top
> > level directories. Any files/directories under standard system
> directories,
> > /usr, /var. /dev, /tmp, ..., should not be labeled with the
> default label.
> > The default label is for files/directories which do not have a
> label on a
> > parent directory. So if you create a new directory in / you
> might
> > legitimately get this label.
>
> > Allowing Access
> > If you want a confined domain to use these files you will
> probably need to
> > relabel the file/directory with chcon. In some cases it is just
> easier to
> > relabel the system, to relabel execute: "touch /.autorelabel;
> reboot"
>
> > Additional Information
>
> > Source Context unconfined_u:system_r:httpd_t:s0
> > Target Context system_u:object_r:default_t:s0
> > Target Objects None [ dir ]
> > Affected RPM Packages httpd-2.2.6-3 [application]
> > Policy RPM selinux-policy-3.0.8-81.fc8
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name plugins.default
> > Host Name xxxxx.cdkkt.com
> > Platform Linux xxxxx.cdkkt.com
> 2.6.23.14-107.fc8 #1 SMP Mon
> > Jan 14 21:37:30 EST 2008 i686 i686
> > Alert Count 5
> > First Seen Fri 01 Feb 2008 02:03:45 PM PST
> > Last Seen Sat 02 Feb 2008 10:10:33 AM PST
> > Local ID 8cb35e21-1c2c-45cf-ac9d-18152da60a1b
> > Line Numbers
>
> > Raw Audit Messages
>
> > avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48
> > exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0
> > name=/ pid=22109
> > scontext=unconfined_u:system_r:httpd_t:s0 sgid=48
> > subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir
> > tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48
> > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
>
> > /var/log/httpd/access_log:
> > =========================
> > 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects
> > HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2"
> > 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800]
> "PROPFIND /svn/projects/
> > !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188)
> neon/0.27.2"
>
>
> > /var/log/httpd/error_log:
> > =========================
> > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
> > Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD"
> required.
> > [id "960015"] [msg "Request Missing an Accept Header"] [severity
> > "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"]
> > [unique_id "jsS at 1goBAI8AAFWPHK8AAAAA"]
> > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
> > Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against
> > "REQUEST_METHOD" required. [id "960032"] [msg "Method is not
> > allowed by policy"] [severity "CRITICAL"] [hostname
> "xxxxx.cdkkt.com"]
> > [uri "/svn/projects"] [unique_id
> > "jsS at 1goBAI8AAFWPHK8AAAAA"]
> > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity:
> Access
> > allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at
> REQUEST_METHOD.
> > [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id
> > "jsS at 1goBAI8AAFWPHK8AAAAA"]
> > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity:
> > Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\
> \\\
> > s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\
> \\w
> > \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\
> \d\\\
> > \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg
> "Invalid
> > HTTP Request Line"] [severity "CRITICAL"] [hostname
> "xxxxx.cdkkt.com"]
> > [uri "/svn/projects/!svn/vcc/default"] [unique_id
> "jsfGswoBAI8AAFWRHLgAAAAC"]
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkenNGYACgkQrlYvE4MpobOROgCdEwBsId1GO4pkV6tEpsRr3Iib
> fn4AniFEf4NVpAIsKiM5BORQAUVokO6e
> =W+Zw
> -----END PGP SIGNATURE-----
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.19.19/1257 - Release Date:
> 2/3/2008 5:49 PM
>
>
More information about the fedora-list
mailing list