[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: svnserve setup on RHEL-7.5

From: Adam Jensen <hanzer_at_metadatalibrary.org>
Date: Tue, 2 Oct 2018 14:35:00 -0400

On 10/02/2018 02:52 AM, Ryan Schmidt wrote:
>
>
> On Oct 1, 2018, at 22:33, Adam Jensen wrote:
>
>> I am attempting to set up an svn server on Scientific Linux 7.5 using
>> subversion from the wandisco repositry. This is my entire process
>> (below). The current result is:
>>
>> svn list svn://moria.metadatalibrary.org/MAAPSS
>> svn: E170013: Unable to connect to a repository at URL
>> 'svn://moria.metadatalibrary.org/MAAPSS'
>> svn: E000013: Can't open file '/srv/svn/MAAPSS/format': Permission denied
>>
>> Does anyone have any idea what have caused this problem?
>
> Might SELinux be enabled on the server, and if so, might you need to use the chcon command to grant the svn user access to that area of the filesystem?
>
>

Thanks, Ryan. I looked at SELinux last night as the potential source of
the problem but dismissed it somehow. Looking at it again earlier today
with fresh eyes, it certainly does seem to be the problem. This is my
solution:

chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn

ls -Z /srv
drwxr-xr-x. svn svn system_u:object_r:svnserve_content_t:s0 svn

# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************

# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn

# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.

And for posterity, here are my problem exploration notes:

-----------------------------------------------------------------------
less /var/log/messages # The relevant parts:
# SELinux is preventing svnserve from read access on the file format.
# If you want to allow svnserve to have read access on the format file
# Then you need to change the label on format
# semanage fcontext -a -t FILE_TYPE 'format'
# where FILE_TYPE is one of the following:
# svnserve_content_t, svnserve_exec_t, svnserve_log_t, svnserve_tmp_t,
svnserve_var_run_t

ps -efZ | grep svn
system_u:system_r:svnserve_t:s0 svn 4700 1 0 Oct01 ?
00:00:00 /usr/bin/svnserve --daemon --pid-file
/run/svnserve/svnserve.pid --root /srv/svn/ --listen-port=3690
--log-file /var/log/svnserve/svnserve.log

ls -Z /srv/
drwxr-xr-x. svn svn unconfined_u:object_r:var_t:s0 svn

sesearch --allow --source svnserve_t --target var_t --class file
# empty output

sesearch --allow --source svnserve_t --target svnserve_content_t --class
file
Found 1 semantic av rules:
   allow svnserve_t svnserve_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;

sesearch --allow --source svnserve_t --target svnserve_exec_t --class
file
Found 1 semantic av rules:
   allow svnserve_t svnserve_exec_t : file { ioctl read getattr lock
execute execute_no_trans entrypoint open } ;

sesearch --allow --source svnserve_t --target svnserve_log_t --class file
Found 2 semantic av rules:
   allow svnserve_t svnserve_log_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow daemon logfile : file { ioctl getattr lock append } ;

sesearch --allow --source svnserve_t --target svnserve_tmp_t --class file
Found 2 semantic av rules:
   allow svnserve_t svnserve_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow domain tmpfile : file { ioctl read getattr lock append open } ;

sesearch --allow --source svnserve_t --target svnserve_var_run_t --class
file
Found 1 semantic av rules:
   allow svnserve_t svnserve_var_run_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;

ls -Z /var/log
drwxr-xr-x. svn root unconfined_u:object_r:var_log_t:s0 svnserve

ls -Z /var/log/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_log_t:s0 svnserve.log

ls -Z /run
drwxr-xr-x. svn svn
system_u:object_r:svnserve_var_run_t:s0 svnserve

ls -Z /run/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_var_run_t:s0 svnserve.pid

ls -Z /usr/bin/svnserve
-rwxr-xr-x. root root system_u:object_r:svnserve_exec_t:s0 /usr/bin/svnserve

ls -Z /etc/sasl2/svn.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/sasl2/svn.conf

ls -Z /etc/svn_sasldb
-rw-r-----. svn svn unconfined_u:object_r:etc_t:s0 /etc/svn_sasldb

sesearch --allow --source svnserve_t --target etc_t --class file
Found 1 semantic av rules:
   allow domain base_ro_file_type : file { ioctl read getattr lock open } ;

chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn

ls -Z /srv
drwxr-xr-x. svn svn system_u:object_r:svnserve_content_t:s0 svn

# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************

# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn

# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.
-----------------------------------------------------------------------

I made a couple of changes to the setup:

vi /etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/svn_sasldb
mech_list: DIGEST-MD5

grep "^[^#]" /srv/svn/MAAPSS/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = passwd
realm = moria.metadatalibrary.org
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

grep "^[^#]" /srv/svn/MAAPSS/conf/passwd
[users]

Curiously, on the local machine "moria" this works:

svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************

But from a machine on the LAN (also SL-7.5 with the same wandisco svn):

svn list svn://moria.metadatalibrary.org/MAAPSS/
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E210007: Cannot negotiate authentication mechanism

Do you suppose this is a network configuration problem rather than an
svn configuration problem?
Received on 2018-10-02 20:35:24 CEST

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.