[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: SELinux (FC3), Subversion, & Apache - Newbie question

From: Martin Tomes <lists_at_tomes.org>
Date: 2005-03-09 10:38:10 CET

Jason Hunt wrote:
> Hello All,
> I am having troubles with getting subversion to run appropriately
> over WebDAV via Apache. Below are the steps I took to replicate the
> problem.

> avc: denied { read } for pid=12536 exe=/usr/sbin/httpd name=home
> dev=dm-0 ino=23 scontext=root:system_r:httpd_t
> tcontext=root:object_r:root_t tclass=lnk_file

Take a look in /etc/selinux/config and if SELINUX=Permissive then you
are not in enforcing mode and can ignore the message. Permissive means
selinux is installed and running but being ignored. It will also add a
log message whenever it would have denied something.

If SELINUX=Enforcing then the selinux access rules will be enforced by
the system and you need to do something about this.

This is a big subject! If you really wish to understand this and
military security level is required then you will have to buy this book:

http://tinyurl.com/5tznw

There is some information on the Fedora site about Fedora and selinux.

My guess from the message is that /home is a link and httpd which is in
the context root:system_r:httpd_t is not permitted to read the link
which is labelled as root:object_r:root_t. If you were to relabel the
/home link to be httpd_user_content_t is might work - but my guess is
that you would then break other things.

Try moving the repository to a path which doesn't have a symlink in it -
i.e., look at what /home is pointing to and use that path in your
httpd.conf. If that's no good try creating a repo in the root file
system and labelling it using the chcon command and see if you can
access that without errors.

-- 
Martin Tomes
echo 'martin at tomes x org x uk'\
  | sed -e 's/ x /\./g' -e 's/ at /@/'
The Subversion Wiki is at http://www.subversionary.org/
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Wed Mar 9 10:40:50 2005

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.