[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: solution, was: Re: another apache permissions problem

From: <kfogel_at_collab.net>
Date: 2004-12-08 20:21:09 CET

Is this more text for

   http://subversion.tigris.org/project_faq.html#reposperms

If so, would you mind submitting it in patch form, so we can see how
it fits into the context? (Feel free to adjust the text that's
already there, too.)

-Karl

"Henrik Vendelbo" <hvendelbo@bluprints.com> writes:
> MORE TEXT:
>
> Creating the repository by calling 'svnadmin create' the security context
> will be tagged with the user (ie root), according to the fedora
> documentation (http://fedora.redhat.com/docs/selinux-apache-fc3/) the
> context user should be 'system_u' rather than the current user. To change it
> add -u system_u to the chcon command. Even so the security policy currently
> present in Fedora Core 3 seems to allow a user context of root.
>
> Note that security context types are copied from the parent directory, while
> the user context is taken from current user. So if the httpd_sys_content_t
> type is set on the repository parent directory before creating the
> repository the repository will be accessable without changing context by
> calling chcon.
>
> Use 'ls -aZ <repository path>' to list security context user : resource :
> type.
>
> If you create configuration files outside the /etc directory which
> mod_dav_svn or apache httpd needs to read you must change the security
> context type to etc_t with the command 'chcon -t etc_t <file path>'
>
>
> ----- Original Message -----
> From: "Curtis G Pew" <curtis.pew@austin.utexas.edu>
> To: <users@subversion.tigris.org>
> Sent: Wednesday, December 08, 2004 2:28 PM
> Subject: RE: Re: solution, was: Re: another apache permissions problem
>
>
> I don't think that 'svnadmin create' should be doing this, since it's only
> appropriate if you're planning to access your repository via http. The
> documentation for configuring Apache for Subversion already discusses
> setting up permissions, and this is just another issue that needs to be
> dealt with.
>
> Here's my summary of the situation:
>
>
> "In addition to regular Unix permissions, under SELinux every file,
> directory, process, etc. has a 'security context'. When a process attempts
> to access a file, besides checking the Unix permissions the system also
> checks to see if the security context of the process is compatible with the
> security context of the file.
>
> "By default, Fedora Core 3 comes with SELinux installed and configured so
> that Apache runs in a fairly restricted security context, so to run
> Subversion under Apache you have to set the security context of the
> repository to allow Apache access (or turn off the restrictions on Apache,
> if you think all this is overkill.) The 'chcon' command is used to set the
> security context of files similarly to how the "'chmod' sets the traditional
> Unix permissions. In my case, issuing:
>
> $ chcon -R -h -t httpd_sys_content_t <path-to-repository>
>
> set the security context so that I was able to successfully access the
> repository."
>
>
> This will probably come up a lot as more people start to use Fedora Core 3
> and the corresponding versions of Red Hat Enterprise, but again I don't
> think svnadmin should change, just the documentation.
>
> --
> Curtis Pew (c.pew@its.utexas.edu)
> ITS - Systems
> The University of Texas at Austin
>
>
> > ----------
> > From: kfogel@newton.ch.collab.net on behalf of kfogel@collab.net
> > Reply To: kfogel@collab.net
> > Sent: Wednesday, December 8, 2004 12:39 AM
> > To: Henrik Vendelbo
> > Cc: users@subversion.tigris.org
> > Subject: Re: solution, was: Re: another apache permissions problem
> >
> > "Henrik Vendelbo" <hvendelbo@bluprints.com> writes:
> > > I had to do a chcon -R -u system_u <path> as well to get it to work.
> > >
> > > shouldn't 'svnadmin create' be able to do this sort of thing ?
> >
> > Wow, glad this got solved.
> >
> > Can you summarize the situation, for those of us who don't know
> > anything about SELinux, and say what exactly it is that 'svnadmin
> > create' should be doing?
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: users-help@subversion.tigris.org
> >
> >
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: users-help@subversion.tigris.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Dec 8 20:24:40 2004

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.