Re: [F8] SELinux, Apache and Subversion problem. [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2008-02-04 at 07:51 -0800, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE----- 
> Hash: SHA1
> 
> Daniel B. Thurman wrote: 
> > Daniel J Walsh wrote: 
> > Daniel B. Thurman wrote: 
> >>>> It seems that I am having a bit of a problem with SElinux, 
> >>>> Apache, and Subversion in the way that I have my subversion 
> >>>> respository located not in the "recommended" place. 
> >>>> 
> >>>> Instead of putting the repository in the recommended place: 
> >>>> /var/www/svn for example, docs says you can put the repository 
> >>>> elsewhere by adding SVNParentPath=/my/place/svn entry into the 
> >>>> /etc/httpd/conf.d/subversion.conf file, but SELinux does not 
> >>>> like it. I did changed the svn repository directory/files with 
> >>>> context httpd_sys_context_t and with ownership of apache.apache. 
> >>>> I also created a link such as /var/www/svn -> /my/svn setting 
> >>>> SVNParentPath=/var/www/svn - it does not work as well. 
> >>>> 
> >>>> I have tested to see if SELinux is blocking access by setting 
> >>>>  setenforce 0, then opened up the firefox browser, entered 
> >>>> my user name and password and it worked, but setting setenforce
> 1 
> >>>> back, breaks it again. 
> >>>> 
> >>>> Does anyone know how to do it - beside recommending that I 
> >>>> place the svn repository directly into /var/www/svn? 
> >>>> 
> >>>> Thanks- 
> >>>> Dan 
> >>>> 
> > What avc messages are you seeing?  /var/log/audit/audit.log
> 
> > I left intact the above and did not snip it because for some 
> > reason, Daniel Walsh has encapsulated it with PGP?  Dunno, 
> > beats me.
> 
> You need to fix the context on the entire path.
> 
> /my/place/svn
> 
> # semanage fcontext -a -t httpd_sys_content_t '/my(/.*)?' 
> # restorecon -R -v /my
> 

Thanks Dan!  This will resolve the SELinux issues when you
svn repository is not in the /var/www location!

As for the rest of the problems encountered with Apache and
Mod_Security, I have found a link explaining how to configure
Mod_Security, Trac, and SVN on F8:

http://fedora-on-dell-laptop.rationalplanet.com/index.php/topic,28.0/prev_next,prev.html#new

Cheers!
Dan

> 
> > The following has to do with problems encountered while setting 
> > up Apache and SubVersion.
> 
> > 1) If I do not install my SVN Repository to the recommened 
> >    place of /var/www/ directory, SELinux blocks access. 
> >    It does not matter if I have set the proper context 
> >    (httpd_sys_content_t), and directory/file ownerships 
> >    (apache.apache)  SElinux does not complain if the repository 
> >    is in /var/www.  The SELinux error logs are provided for 
> >    further examination by those who cares.
> 
  > 2) When I have properly configured my 
> >    /etc/httpd/conf.d/subversion.conf file for access levels and 
> >    permissions, I can go to my favorite browser, type in: 
> >    http://localhost/svn (or whatever you set Location to). and it 
> >    will prompt me for username and password, and will let me 
> >    browse the SVN tree.
> 
> >    My problem comes in when I do NOT use my browser, but 
> >    instead use the command line, or try to access the SVN 
> >    repository remotely or via Eclipse. None of these attempts 
> >    work. For me, it *always* results in a ModSecurity error.
> 
> >    I can however access my repository via file:/// access, I 
> >    just cannot do with with http://  I have tested with setenforce 
> >    and SELinux has nothing to do with this case as there is no 
> >    audit log reports either way.
> 
> 
> > + svn list file:///var/www/svn/projects  [SUCCESSFUL] 
> > ===================================================== 
> > branches/ 
> > tags/ 
> > trunk/
> 
> > + svn list file:///fapp1/svn/projects [SUCCESSFUL] 
> > ================================================== 
> > branches/ 
> > tags/ 
> > trunk/
> 
> > + svn list http://127.0.0.1/svn/projects [FAILURE] 
> > Note: you can use localhost or your FQDN - it still fails. 
> > ========================================================== 
> > svn: PROPFIND request failed on '/svn/projects/!svn/vcc/default' 
> > svn: PROPFIND of '/svn/projects/!svn/vcc/default': 400 Bad 
> >      Request (http://127.0.0.1)
> 
> > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
> > NOTE: The following SELinux data appears ONLY if SVN respository 
> >       is NOT in /var/www/svn directory, in my case
> above: /fapp1/svn 
> > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 
> > /var/log/audit/audit.log: 
> > ========================= 
> > type=AVC msg=audit(1201975689.832:2302): avc:  denied  { search }
> for 
> > pid=22110 comm="httpd" name="/" dev=sdc1 ino=2
> scontext=unconfined_u: 
> > system_r:httpd_t:s0 tcontext=system_u:object_r:default_t:s0
> tclass=dir 
> > type=SYSCALL msg=audit(1201975689.832:2302): arch=40000003
> syscall=5 
> > success=no exit=-13 a0=ba4ab678 a1=8000 a2=1b6 a3=8000 items=0
> ppid=22104 
> > pid=22110 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48
> sgid=48 
> > fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u: 
> > system_r:httpd_t:s0 key=(null)
> 
> > sealert: 
> > Summary 
> >     SELinux is preventing access to files with the default label,
> default_t.
> 
> > Detailed Description 
> >     SELinux permission checks on files labeled default_t are being
> denied. 
> >     These files/directories have the default label on them.  This
> can indicate 
> >     a labeling problem, especially if the files being referred to
> are not top 
> >     level directories. Any files/directories under standard system
> directories, 
> >     /usr, /var. /dev, /tmp, ..., should not be labeled with the
> default label. 
> >     The default label is for files/directories which do not have a
> label on a 
> >     parent directory. So if you create a new directory in / you
> might 
> >     legitimately get this label.
> 
> > Allowing Access 
> >     If you want a confined domain to use these files you will
> probably need to 
> >     relabel the file/directory with chcon. In some cases it is just
> easier to 
> >     relabel the system, to relabel execute: "touch /.autorelabel;
> reboot"
> 
> > Additional Information        
> 
> > Source Context                unconfined_u:system_r:httpd_t:s0 
> > Target Context                system_u:object_r:default_t:s0 
> > Target Objects                None [ dir ] 
> > Affected RPM Packages         httpd-2.2.6-3 [application] 
> > Policy RPM                    selinux-policy-3.0.8-81.fc8 
> > Selinux Enabled               True 
> > Policy Type                   targeted 
> > MLS Enabled                   True 
> > Enforcing Mode                Enforcing 
> > Plugin Name                   plugins.default 
> > Host Name                     xxxxx.cdkkt.com 
> > Platform                      Linux xxxxx.cdkkt.com
> 2.6.23.14-107.fc8 #1 SMP Mon 
> >                               Jan 14 21:37:30 EST 2008 i686 i686 
> > Alert Count                   5 
> > First Seen                    Fri 01 Feb 2008 02:03:45 PM PST 
> > Last Seen                     Sat 02 Feb 2008 10:10:33 AM PST 
> > Local ID                      8cb35e21-1c2c-45cf-ac9d-18152da60a1b 
> > Line Numbers                  
> 
> > Raw Audit Messages            
> 
> > avc: denied { search } for comm=httpd dev=sdc1 egid=48 euid=48 
> > exe=/usr/sbin/httpd exit=-13 fsgid=48 fsuid=48 gid=48 items=0 
> >     name=/ pid=22109 
> > scontext=unconfined_u:system_r:httpd_t:s0 sgid=48 
> > subj=unconfined_u:system_r:httpd_t:s0 suid=48 tclass=dir 
> > tcontext=system_u:object_r:default_t:s0 tty=(none) uid=48 
> > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
> 
> > /var/log/httpd/access_log: 
> > ========================= 
> > 10.1.0.143 - - [02/Feb/2008:09:52:42 -0800] "PROPFIND /svn/projects 
> >    HTTP/1.1" 207 655 "-" "SVN/1.4.4 (r25188) neon/0.27.2" 
> > 10.1.0.143 - - [02/Feb/2008:09:52:43 -0800]
> "PROPFIND /svn/projects/ 
> >    !svn/vcc/default HTTP/1.1" 400 306 "-" "SVN/1.4.4 (r25188)
> neon/0.27.2"
> 
> 
> > /var/log/httpd/error_log: 
> > ========================= 
> > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: 
> >    Warning. Match of "rx ^OPTIONS$" against "REQUEST_METHOD"
> required. 
> >    [id "960015"] [msg "Request Missing an Accept Header"] [severity 
> >    "CRITICAL"] [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] 
> >    [unique_id "jsS@1goBAI8AAFWPHK8AAAAA"] 
> > [Sat Feb 02 09:52:42 2008] [error] [client 10.1.0.143] ModSecurity: 
> >    Warning. Match of "rx ^((?:(?:POS|GE)T|OPTIONS|HEAD))$" against 
> >    "REQUEST_METHOD" required. [id "960032"] [msg "Method is not 
> >    allowed by policy"] [severity "CRITICAL"] [hostname
> "xxxxx.cdkkt.com"] 
> >    [uri "/svn/projects"] [unique_id 
> >    "jsS@1goBAI8AAFWPHK8AAAAA"] 
> > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity:
> Access 
> >    allowed (phase 4). Pattern match "^(PROPFIND|PROPPATCH)$" at
> REQUEST_METHOD. 
> >    [hostname "xxxxx.cdkkt.com"] [uri "/svn/projects"] [unique_id 
> >    "jsS@1goBAI8AAFWPHK8AAAAA"] 
> > [Sat Feb 02 09:52:43 2008] [error] [client 10.1.0.143] ModSecurity: 
> >    Access denied with code 400 (phase 2). Match of "rx ^[a-z]{3,10}\
> \\\ 
> >    s*(?:\\\\w{3,7}?\\\\:\\\\/\\\\/[\\\\w\\\\-\\\\.\\\\/]*)??\\\\/[\\
> \\w 
> >    \\\\-\\\\.\\\\/~%:@&=+$,;]*(?:\\\\?[\\\\S]*)??\\\\s*http\\\\/\\\
> \d\\\ 
> >    \.\\\\d$" against "REQUEST_LINE" required. [id "960911"] [msg
> "Invalid 
> >    HTTP Request Line"] [severity "CRITICAL"] [hostname
> "xxxxx.cdkkt.com"] 
> >    [uri "/svn/projects/!svn/vcc/default"] [unique_id
> "jsfGswoBAI8AAFWRHLgAAAAC"]
> 
> 
> -----BEGIN PGP SIGNATURE----- 
> Version: GnuPG v1.4.8 (GNU/Linux) 
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
> 
> iEYEARECAAYFAkenNGYACgkQrlYvE4MpobOROgCdEwBsId1GO4pkV6tEpsRr3Iib 
> fn4AniFEf4NVpAIsKiM5BORQAUVokO6e 
> =W+Zw 
> -----END PGP SIGNATURE-----
> 
> -- 
> fedora-list mailing list 
> fedora-list@xxxxxxxxxx 
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list 
> 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.19.19/1257 - Release Date:
> 2/3/2008 5:49 PM
>  
> 

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux