[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: Re: solution, was: Re: another apache permissions problem

From: Henrik Vendelbo <hvendelbo_at_bluprints.com>
Date: 2004-12-08 19:49:05 CET

MORE TEXT:

Creating the repository by calling 'svnadmin create' the security context
will be tagged with the user (ie root), according to the fedora
documentation (http://fedora.redhat.com/docs/selinux-apache-fc3/) the
context user should be 'system_u' rather than the current user. To change it
add -u system_u to the chcon command. Even so the security policy currently
present in Fedora Core 3 seems to allow a user context of root.

Note that security context types are copied from the parent directory, while
the user context is taken from current user. So if the httpd_sys_content_t
type is set on the repository parent directory before creating the
repository the repository will be accessable without changing context by
calling chcon.

Use 'ls -aZ <repository path>' to list security context user : resource :
type.

If you create configuration files outside the /etc directory which
mod_dav_svn or apache httpd needs to read you must change the security
context type to etc_t with the command 'chcon -t etc_t <file path>'

----- Original Message -----
From: "Curtis G Pew" <curtis.pew@austin.utexas.edu>
To: <users@subversion.tigris.org>
Sent: Wednesday, December 08, 2004 2:28 PM
Subject: RE: Re: solution, was: Re: another apache permissions problem

I don't think that 'svnadmin create' should be doing this, since it's only
appropriate if you're planning to access your repository via http. The
documentation for configuring Apache for Subversion already discusses
setting up permissions, and this is just another issue that needs to be
dealt with.

Here's my summary of the situation:

"In addition to regular Unix permissions, under SELinux every file,
directory, process, etc. has a 'security context'. When a process attempts
to access a file, besides checking the Unix permissions the system also
checks to see if the security context of the process is compatible with the
security context of the file.

"By default, Fedora Core 3 comes with SELinux installed and configured so
that Apache runs in a fairly restricted security context, so to run
Subversion under Apache you have to set the security context of the
repository to allow Apache access (or turn off the restrictions on Apache,
if you think all this is overkill.) The 'chcon' command is used to set the
security context of files similarly to how the "'chmod' sets the traditional
Unix permissions. In my case, issuing:

$ chcon -R -h -t httpd_sys_content_t <path-to-repository>

set the security context so that I was able to successfully access the
repository."

This will probably come up a lot as more people start to use Fedora Core 3
and the corresponding versions of Red Hat Enterprise, but again I don't
think svnadmin should change, just the documentation. 

-- 
Curtis Pew (c.pew@its.utexas.edu)
ITS - Systems
The University of Texas at Austin
> ----------
> From: kfogel@newton.ch.collab.net on behalf of kfogel@collab.net
> Reply To: kfogel@collab.net
> Sent: Wednesday, December 8, 2004 12:39 AM
> To: Henrik Vendelbo
> Cc: users@subversion.tigris.org
> Subject: Re: solution, was: Re: another apache permissions problem
>
> "Henrik Vendelbo" <hvendelbo@bluprints.com> writes:
> > I had to do a chcon -R -u system_u <path> as well to get it to work.
> >
> > shouldn't 'svnadmin create' be able to do this sort of thing ?
>
> Wow, glad this got solved.
>
> Can you summarize the situation, for those of us who don't know
> anything about SELinux, and say what exactly it is that 'svnadmin
> create' should be doing?
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 8 19:52:09 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.