[F8] SELinux, Apache and Subversion problem.
Daniel B. Thurman
dant at cdkkt.com
Sat Feb 2 23:25:53 UTC 2008
Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Daniel B. Thurman wrote:
> > It seems that I am having a bit of a problem with SElinux,
> > Apache, and Subversion in the way that I have my subversion
> > respository located not in the "recommended" place.
> >
> > Instead of putting the repository in the recommended place:
> > /var/www/svn for example, docs says you can put the repository
> > elsewhere by adding SVNParentPath=/my/place/svn entry into the
> > /etc/httpd/conf.d/subversion.conf file, but SELinux does not
> > like it. I did changed the svn repository directory/files with
> > context httpd_sys_context_t and with ownership of apache.apache.
> > I also created a link such as /var/www/svn -> /my/svn setting
> > SVNParentPath=/var/www/svn - it does not work as well.
> >
> > I have tested to see if SELinux is blocking access by setting
> > setenforce 0, then opened up the firefox browser, entered
> > my user name and password and it worked, but setting setenforce 1
> > back, breaks it again.
> >
> > Does anyone know how to do it - beside recommending that I
> > place the svn repository directly into /var/www/svn?
> >
> > Thanks-
> > Dan
> >
> What avc messages are you seeing? /var/log/audit/audit.log
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkej4/kACgkQrlYvE4MpobM/XQCfUM6KBrPSYl0eIQgST40fFmOE
> gkMAnRMk+V60i7RQkSANWpjYf3cmQhOX
> =qXQd
> -----END PGP SIGNATURE-----
I left intact the above and did not snip it because for some
reason, Daniel Walsh has encapsulated it with PGP? Dunno,
beats me.
The following has to do with problems encountered while setting
up Apache and SubVersion.
1) If I do not install my SVN Repository to the recommened
place of /var/www/ directory, SELinux blocks access.
It does not matter if I have set the proper context
(httpd_sys_content_t), and directory/file ownerships
(apache.apache) SElinux does not complain if the repository
is in /var/www. The SELinux error logs are provided for
further examination by those who cares.
2) When I have properly configured my
/etc/httpd/conf.d/subversion.conf file for access levels and
permissions, I can go to my favorite browser, type in:
http://localhost/svn (or whatever you set Location to). and it
will prompt me for username and password, and will let me
browse the SVN tree.
My problem comes in when I do NOT use my browser, but
instead use the command line, or try to access the SVN
repository remotely or via Eclipse. None of these attempts
work. For me, it *always* results in a ModSecurity error.
I can however access my repository via file:/// access, I
just cannot do with with http:// I have tested with setenforce
and SELinux has nothing to do with this case as there is no
audit log reports either way.
+ svn list file:///var/www/svn/projects [SUCCESSFUL]
=====================================================
branches/
tags/
trunk/
+ svn list file:///fapp1/svn/projects [SUCCESSFUL]
==================================================
branches/
tags/
trunk/
+ svn list http://127.0.0.1/svn/projects [FAILURE]
Note: you can use localhost or your FQDN - it still fails.
==========================================================
svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default'
svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad
Request (http://127.0.0.1)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
NOTE: The following SELinux data appears ONLY if SVN respository
is NOT in /var/www/svn directory, in my case above: /fapp1/svn
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/var/log/audit/audit.log:
=========================
type=AVC msg=audit(1201975689.832:2302): avc: denied { search } for
pid=22110 comm="httpd" name="/" dev=sdc1 ino=2 scontext=unconfined_u:
system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=dir
type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003 syscall=5
success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0 ppid=22104
pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:
system_r:httpd_t:s0 key=(null)
sealert:
Summary
SELinux is preventing access to files with the default label, default_t.
Detailed Description
SELinux permission checks on files labeled default_t are being denied.
These files/directories have the default label on them. This can indicate
a labeling problem, especially if the files being referred to are not top
level directories. Any files/directories under standard system directories,
/usr, /var. /dev, /tmp, ..., should not be labeled with the default label.
The default label is for files/directories which do not have a label on a
parent directory. So if you create a new directory in / you might
legitimately get this label.
Allowing Access
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: "touch /.autorelabel; reboot"
Additional Information
Source Context unconfined_u:system_r:httpd_t:s0
Target Context system_u:object_r:default_t:s0
Target Objects None [ dir ]
Affected RPM Packages httpd-2.2.6-3 [application]
Policy RPM selinux-policy-3.0.8-81.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.default
Host Name xxxxx.cdkkt.com
Platform Linux xxxxx.cdkkt.com 2.6.23.14-107.fc8 #1 SMP Mon
Jan 14 21:37:30 EST 2008 i686 i686
Alert Count 5
First Seen Fri 01 Feb 2008 02:03:45 PM PST
Last Seen Sat 02 Feb 2008 10:10:33 AM PST
Local ID 8cb35e21-1c2c-45cf-ac9d-18152da60a1b
Line Numbers
Raw Audit Messages
avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48
exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0
name=/ pid=22109
scontext=unconfined_u:system_r:httpd_t:s0 sgid=48
subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir
tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
/var/log/httpd/access_log:
=========================
10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects
HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2"
10.1.0.143 - - [02/Feb/2008:09:52:43 -0800] "PROPFIND /svn/projects/
!svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188) neon/0.27.2"
/var/log/httpd/error_log:
=========================
[Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD" required.
[id "960015"] [msg "Request Missing an Accept Header"] [severity
"CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"]
[unique_id "jsS at 1goBAI8AAFWPHK8AAAAA"]
[Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity:
Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against
"REQUEST_METHOD" required. [id "960032"] [msg "Method is not
allowed by policy"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
[uri "/svn/projects"] [unique_id
"jsS at 1goBAI8AAFWPHK8AAAAA"]
[Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: Access
allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at REQUEST_METHOD.
[hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id
"jsS at 1goBAI8AAFWPHK8AAAAA"]
[Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity:
Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\\\\
s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\\\w
\\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\\d\\\
\.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg "Invalid
HTTP Request Line"] [severity "CRITICAL"] [hostname "xxxxx.cdkkt.com"]
[uri "/svn/projects/!svn/vcc/default"] [unique_id "jsfGswoBAI8AAFWRHLgAAAAC"]
More information about the fedora-list
mailing list