* RHES4, Subversion, Apache and SElinux
@ 2005-12-15 22:01 Bernd Bartmann
2005-12-15 22:57 ` Tobias Nijweide
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: Bernd Bartmann @ 2005-12-15 22:01 UTC (permalink / raw)
To: SELinux
Hi,
I try to setup some Subversion repositories using Apache on a RHES4
server. Now I'm running into a problem with Apache and SElinux.
My SVNParentPath is set to /data/Devel/SVN/repos. /data is on
/dev/md5. I already followed the "How do I set repository permissions
correctly?" FAQ from http://subversion.tigris.org/faq.html and issued
a "chcon -R -h -t httpd_sys_content_t /data/Devel/SVN/repos/", but
whenever I try to access the contents of my Subversion repo I this in
/var/log/messages:
avc: denied { search } for pid=10337 comm="httpd" name="/" dev=md5
ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
tclass=dir
Any ideas?
Thanks in advance,
Bernd.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RHES4, Subversion, Apache and SElinux
2005-12-15 22:01 RHES4, Subversion, Apache and SElinux Bernd Bartmann
@ 2005-12-15 22:57 ` Tobias Nijweide
2005-12-15 23:18 ` Daniel J Walsh
2005-12-16 0:23 ` Johan Fischer
2 siblings, 0 replies; 7+ messages in thread
From: Tobias Nijweide @ 2005-12-15 22:57 UTC (permalink / raw)
To: SELinux
On Thu, 2005-12-15 at 23:01 +0100, Bernd Bartmann wrote:
> My SVNParentPath is set to /data/Devel/SVN/repos. /data is on
> /dev/md5. I already followed the "How do I set repository permissions
> correctly?" FAQ from http://subversion.tigris.org/faq.html and issued
> a "chcon -R -h -t httpd_sys_content_t /data/Devel/SVN/repos/", but
> whenever I try to access the contents of my Subversion repo I this in
> /var/log/messages:
>
> avc: denied { search } for pid=10337 comm="httpd" name="/" dev=md5
> ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
> tclass=dir
Apparently '/data' is of type system_u:object_r:file_t. Before httpd can
access any of the repository files it has to read /, /data, /data/Devel
and /data/Devel/SVN. 3 options:
- Make those dirs of types that httpd_t can search as well.
- Add permission for httpd_t to search directories of type file_t.
- Create a new type, and add permission for httpd_t to search that type.
When changing default policy, it can help a lot to put all of it in a
source repository (SVN? :) because otherwise it's too easy to lose track
of what you changed, and to add your changes back in after you install
the next RH policy.
Good luck,
Tobias Nijweide
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RHES4, Subversion, Apache and SElinux
2005-12-15 22:01 RHES4, Subversion, Apache and SElinux Bernd Bartmann
2005-12-15 22:57 ` Tobias Nijweide
@ 2005-12-15 23:18 ` Daniel J Walsh
2005-12-15 23:26 ` Bernd Bartmann
2005-12-16 0:23 ` Johan Fischer
2 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2005-12-15 23:18 UTC (permalink / raw)
To: Bernd Bartmann; +Cc: SELinux
Bernd Bartmann wrote:
> Hi,
>
> I try to setup some Subversion repositories using Apache on a RHES4
> server. Now I'm running into a problem with Apache and SElinux.
>
> My SVNParentPath is set to /data/Devel/SVN/repos. /data is on
> /dev/md5. I already followed the "How do I set repository permissions
> correctly?" FAQ from http://subversion.tigris.org/faq.html and issued
> a "chcon -R -h -t httpd_sys_content_t /data/Devel/SVN/repos/", but
> whenever I try to access the contents of my Subversion repo I this in
> /var/log/messages:
>
> avc: denied { search } for pid=10337 comm="httpd" name="/" dev=md5
> ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
> tclass=dir
>
> Any ideas?
>
> Thanks in advance,
> Bernd.
>
>
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.
>
file_t indicates that the file system was never labeled.
try chcon -R -t httpd_sys_content_t /data
to label the entire tree.
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RHES4, Subversion, Apache and SElinux
2005-12-15 23:18 ` Daniel J Walsh
@ 2005-12-15 23:26 ` Bernd Bartmann
2005-12-15 23:29 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Bernd Bartmann @ 2005-12-15 23:26 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On 12/16/05, Daniel J Walsh <dwalsh@redhat.com> wrote:
> file_t indicates that the file system was never labeled.
> try chcon -R -t httpd_sys_content_t /data
> to label the entire tree.
This results in:
[root@picard ~]# chcon -R -t httpd_sys_content_t /data
chcon: can't apply partial context to unlabeled file /data
I seem to be able to anything below /data but not /data itself.
Best regards,
Bernd.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RHES4, Subversion, Apache and SElinux
2005-12-15 23:26 ` Bernd Bartmann
@ 2005-12-15 23:29 ` Daniel J Walsh
2005-12-15 23:37 ` Bernd Bartmann
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2005-12-15 23:29 UTC (permalink / raw)
To: Bernd Bartmann; +Cc: SELinux
Bernd Bartmann wrote:
> On 12/16/05, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
>> file_t indicates that the file system was never labeled.
>> try chcon -R -t httpd_sys_content_t /data
>> to label the entire tree.
>>
>
> This results in:
> [root@picard ~]# chcon -R -t httpd_sys_content_t /data
> chcon: can't apply partial context to unlabeled file /data
>
> I seem to be able to anything below /data but not /data itself.
>
> Best regards,
> Bernd.
>
chcon -R system_u:object_r:httpd_sys_content_t /data
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RHES4, Subversion, Apache and SElinux
2005-12-15 23:29 ` Daniel J Walsh
@ 2005-12-15 23:37 ` Bernd Bartmann
0 siblings, 0 replies; 7+ messages in thread
From: Bernd Bartmann @ 2005-12-15 23:37 UTC (permalink / raw)
To: Daniel J Walsh; +Cc: SELinux
On 12/16/05, Daniel J Walsh <dwalsh@redhat.com> wrote:
> Bernd Bartmann wrote:
> > On 12/16/05, Daniel J Walsh <dwalsh@redhat.com> wrote:
> >
> >> file_t indicates that the file system was never labeled.
> >> try chcon -R -t httpd_sys_content_t /data
> >> to label the entire tree.
> >>
> >
> > This results in:
> > [root@picard ~]# chcon -R -t httpd_sys_content_t /data
> > chcon: can't apply partial context to unlabeled file /data
> >
> > I seem to be able to anything below /data but not /data itself.
> >
> chcon -R system_u:object_r:httpd_sys_content_t /data
Thanks. This works perfectly.
Best regards,
Bernd.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: RHES4, Subversion, Apache and SElinux
2005-12-15 22:01 RHES4, Subversion, Apache and SElinux Bernd Bartmann
2005-12-15 22:57 ` Tobias Nijweide
2005-12-15 23:18 ` Daniel J Walsh
@ 2005-12-16 0:23 ` Johan Fischer
2 siblings, 0 replies; 7+ messages in thread
From: Johan Fischer @ 2005-12-16 0:23 UTC (permalink / raw)
To: Bernd Bartmann; +Cc: SELinux
Seems to me that your partition /data is not with a se context that
httpd_t can search/read/getattr (which is file_t),
If you don't have anything else selinux sensitive in /data (used by
another process under a different context), just chcon the all /data.
In a more detailed way, If I remember, the default_t context is readable
by httpd_t, so just change the /data, /data/Devel and /data/Devel/SVN to
default_t.
Cheers.
J.
Bernd Bartmann wrote:
>Hi,
>
>I try to setup some Subversion repositories using Apache on a RHES4
>server. Now I'm running into a problem with Apache and SElinux.
>
>My SVNParentPath is set to /data/Devel/SVN/repos. /data is on
>/dev/md5. I already followed the "How do I set repository permissions
>correctly?" FAQ from http://subversion.tigris.org/faq.html and issued
>a "chcon -R -h -t httpd_sys_content_t /data/Devel/SVN/repos/", but
>whenever I try to access the contents of my Subversion repo I this in
>/var/log/messages:
>
>avc: denied { search } for pid=10337 comm="httpd" name="/" dev=md5
>ino=2 scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
>tclass=dir
>
>Any ideas?
>
>Thanks in advance,
>Bernd.
>
>
>--
>This message was distributed to subscribers of the selinux mailing list.
>If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
>the words "unsubscribe selinux" without quotes as the message.
>
>
--
Johan Fischer
Capital Markets CRC Limited
Level 2, 9 Castlereagh Street, Sydney NSW 2000
Tel: +61 2 9233 7999 Direct: +61 2 9236 9150
Fax: +61 2 9236 9177 http://www.cmcrc.com
Capital Markets CRC Ltd (CMCRC) - Confidential Communication
The information contained in this e-mail is confidential. It is intended solely for the addressee. If you receive this e-mail by mistake please promptly inform us by reply e-mail and then delete the e-mail and destroy any printed copy. You must not disclose or use in any way the information in the e-mail. There is no warranty that this e-mail is error or virus free. It may be a private communication, and if so, does not represent the views of the CMCRC and its associates. If it is a private communication, care should be taken in opening it to ensure that undue offence is not given.
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2005-12-16 0:23 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-12-15 22:01 RHES4, Subversion, Apache and SElinux Bernd Bartmann
2005-12-15 22:57 ` Tobias Nijweide
2005-12-15 23:18 ` Daniel J Walsh
2005-12-15 23:26 ` Bernd Bartmann
2005-12-15 23:29 ` Daniel J Walsh
2005-12-15 23:37 ` Bernd Bartmann
2005-12-16 0:23 ` Johan Fischer
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.