SELinux, Subversion and mod_svn

After upgrading my server (from Debian Sarge to Debian Etch) I decided to enabled SELinux. After reading some documentation (besides Debian’s basic setup documentation I can recommend Fedora’s SELinux wiki and especially this presentation) I got the basic setup working. Getting Subversion to fully work required a few extra steps. For your convenience and my memory I’ve listed them below.

1. Turn on httpd_builtin_scripting and httpd_enable_cgi. Turning on httpd_builtin_scripting gives httpd_t (i.e. apache) permission to read and write files marked httpd_sys_script_rw_t. This is needed for commits to work. Turning on httpd_enable_cgi gives httpd_t permission to execute scripts (marked httpd_sys_script_exec_t), something which is needed for hooks to work.

# setsebool -P httpd_builtin_scripting=1
# setsebool -P httpd_enable_cgi=1

2. Set the proper security context on the files in the repository. Assuming that all repositories are located under /home/svn, the following commands will do the job. Also make sure that the user apache is running as (e.g. www-data) has read access to the repository and write access to the directories dav and db (this is the script I use for that).

# semanage fcontext -a -t httpd_sys_content_t '/home/svn(/.*)?'
# semanage fcontext -a -t httpd_sys_script_rw_t '/home/svn/[^/]+/(dav|db)(/.*)?'
# semanage fcontext -a -t httpd_sys_script_exec_t '/home/svn/[^/]+/hooks(/.*)?'
# restorecon -Rv /home/svn

3. Make sure selinux-policy-refpolicy-dev is installed.

4. Create the directory mysvn. In that directory, create the file mysvn.te with the following contents:

policy_module(mysvn,0.0.1)

require {
        type httpd_t;
        type shell_exec_t;
        type httpd_sys_script_t;
        type var_run_t;
};

# If hooks are shell scripts, apache must be able to run a shell. The
# hooks will run in httpd_sys_script_t.
allow httpd_t shell_exec_t:file rx_file_perms;

# For some reason the scripts searches /var/run
allow httpd_sys_script_t var_run_t:dir search;

5. Then run:

# make -f /usr/share/selinux/refpolicy-targeted/include/Makefile
# semodule -i mysvn.pp

The mysvn policy module is needed because hooks are normally shell scripts. For apache to be able to run them it must be able to run a shell. Once the scripts have started, they run in the httpd_sys_script_t domain.

Posted Sunday, November 4th, 2007 under security.

Tags:

4 comments

  1. Victor says:
    June 6, 2008 at 23:43

    Sweet! Thanks for posting this.

  2. Charles says:
    June 12, 2008 at 17:23

    Nice, just what i like, quick cut/paste with good explanation of what you are cut/pasting :)

    Thanks for this.

  3. Henry says:
    July 10, 2008 at 07:36

    Would you be able to give instruction for Fedora Core 9 too?

  4. Vicky says:
    December 16, 2008 at 22:30

    If you will review the SELinux policy from Graphical interface, you will find that in Fedora 10 the chcon command was changed. Try:
    chcon -R -h -t httpd_sys_script_rw_t /path/to/repository

    For me was helpful.

    Best regards