SVN + SELinux + Apache == Problems

Daniel J Walsh dwalsh at redhat.com
Wed Apr 13 19:14:21 UTC 2005 

Jerry Dueitt wrote:

>Yes /projects is a seperate LVM mountpoint! 
>I tried issuing the chcon -t usr_t /projects and got the following error:
>chcon: can't apply partial context to unlabeled file /projects
>
>  
>
chcon -t usr_t is doing a getfilecon on /projects and attempting to use  
the user and role and only changing the type,
but since the system has no context it is failing
try
chcon system_u:object_r:usr_t /projects


>Why would that be?
>Thanks for the help!
>-Jerry.
>
>On 4/13/05, Colin Walters <walters at redhat.com> wrote:
>  
>
>>On Tue, 2005-04-12 at 22:04 -0500, Jerry Dueitt wrote:
>>    
>>
>>>I have been trying to get a SVN repository set up for access via the
>>>DAV module. I have read that you need to do various things to get this
>>>to work on a Fedora Core 3 system. My repository lives in
>>>/projects/svn-repos/ which is a local filesystem. I have changed group
>>>and owner to apache for all files in that directory with chown -R
>>>apache.apache /projects/svn-repos. This obviously didn't work due to
>>>SELinux security contexts. I found online that I needed to do chcon -R
>>>-h -t httpd_sys_content_t /projects/svn-repos.
>>>      
>>>
>>Right.
>>
>>    
>>
>>>I still get the following errors in my /var/log/mesages:
>>>Apr 12 21:50:39 fry kernel: audit(1113360639.475:0): avc:  denied  {
>>>search } for  pid=7147 exe=/usr/sbin/httpd name=/ dev=dm-2 ino=2
>>>scontext=root:system_r:httpd_t tcontext=system_u:object_r:file_t
>>>tclass=dir
>>>      
>>>
>>Is /projects a mount for separate LVM device?  It must be labeled.  If
>>ls -Z /projects shows file_t, then that is the problem.
>>
>>Try this:
>>
>>chcon -t usr_t /projects
>>
>>I picked usr_t because it's going to be accessible to httpd_t.  Longer
>>term once we have a better infrastructure for local policy
>>modifications, you'd really want to create a new type such as project_t
>>which you could apply to the directory and give only httpd_t and other
>>domains the access you want.
>>
>>    
>>
>>>Most of the information online indicated people were just turning off
>>>SELinux to avoid this problem. I was wondering if anybody could point
>>>me in the direction of resolving this without disabling SELinux.
>>>      
>>>
>>It's much better to disable SELinux enforcement just for Apache HTTPD,
>>not SELinux as a whole.
>>http://fedora.redhat.com/docs/selinux-faq-fc3/index.html#using-s-c-securitylevel
>>
>>
>>    
>>
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>  
>


--

More information about the selinux mailing list