[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: SVN + SELinux + Apache == Problems



Yes /projects is a seperate LVM mountpoint! 
I tried issuing the chcon -t usr_t /projects and got the following error:
chcon: can't apply partial context to unlabeled file /projects

Why would that be?
Thanks for the help!
-Jerry.

On 4/13/05, Colin Walters <walters redhat com> wrote:
> On Tue, 2005-04-12 at 22:04 -0500, Jerry Dueitt wrote:
> > I have been trying to get a SVN repository set up for access via the
> > DAV module. I have read that you need to do various things to get this
> > to work on a Fedora Core 3 system. My repository lives in
> > /projects/svn-repos/ which is a local filesystem. I have changed group
> > and owner to apache for all files in that directory with chown -R
> > apache.apache /projects/svn-repos. This obviously didn't work due to
> > SELinux security contexts. I found online that I needed to do chcon -R
> > -h -t httpd_sys_content_t /projects/svn-repos.
> 
> Right.
> 
> > I still get the following errors in my /var/log/mesages:
> > Apr 12 21:50:39 fry kernel: audit(1113360639.475:0): avc:  denied  {
> > search } for  pid=7147 exe=/usr/sbin/httpd name=/ dev=dm-2 ino=2
> > scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
> > tclass=dir
> 
> Is /projects a mount for separate LVM device?  It must be labeled.  If
> ls -Z /projects shows file_t, then that is the problem.
> 
> Try this:
> 
> chcon -t usr_t /projects
> 
> I picked usr_t because it's going to be accessible to httpd_t.  Longer
> term once we have a better infrastructure for local policy
> modifications, you'd really want to create a new type such as project_t
> which you could apply to the directory and give only httpd_t and other
> domains the access you want.
> 
> > Most of the information online indicated people were just turning off
> > SELinux to avoid this problem. I was wondering if anybody could point
> > me in the direction of resolving this without disabling SELinux.
> 
> It's much better to disable SELinux enforcement just for Apache HTTPD,
> not SELinux as a whole.
> http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel
> 
>


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]