SELinux, Subversion and mod_svn

After upgrading my server (from Debian Sarge to Debian Etch) I decided to enabled SELinux. After reading some documentation (besides Debian’s basic setup documentation I can recommend Fedora’s SELinux wiki and especially this presentation) I got the basic setup working. Getting Subversion to fully work required a few extra steps. For your convenience and my memory I’ve listed them below.

1. Turn on httpd_builtin_scripting and httpd_enable_cgi. Turning on httpd_builtin_scripting gives httpd_t (i.e. apache) permission to read and write files marked httpd_sys_script_rw_t. This is needed for commits to work. Turning on httpd_enable_cgi gives httpd_t permission to execute scripts (marked httpd_sys_script_exec_t), something which is needed for hooks to work.

2. Set the proper security context on the files in the repository. Assuming that all repositories are located under /home/svn, the following commands will do the job. Also make sure that the user apache is running as (e.g. www-data) has read access to the repository and write access to the directories dav and db (this is the script I use for that).

3. Make sure selinux-policy-refpolicy-dev is installed.

4. Create the directory mysvn. In that directory, create the file mysvn.te with the following contents:

5. Then run:

The mysvn policy module is needed because hooks are normally shell scripts. For apache to be able to run them it must be able to run a shell. Once the scripts have started, they run in the httpd_sys_script_t domain.

4 thoughts on “SELinux, Subversion and mod_svn

  1. If you will review the SELinux policy from Graphical interface, you will find that in Fedora 10 the chcon command was changed. Try:
    chcon -R -h -t httpd_sys_script_rw_t /path/to/repository

    For me was helpful.

    Best regards

Comments are closed.