It turned out that the problem was related to the following message that I’ve been seeing in my log:

avc:  denied  { execute_no_trans } for  pid=972 comm="apache2"
name="bash" dev=hda1 ino=26110
scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

The mail() function in PHP (which is what wordpress uses to send the notification mail) is implemented using popen(3). When you call mail(), PHP executes popen(“sendmail …”, “w”). This ends up with a call to “sh -c sendmail …”, which explains the log message.

The solution was allow execute_no_trans for httpd:

allow httpd_t shell_exec_t:file execute_no_trans;

1. Turn on httpd_builtin_scripting and httpd_enable_cgi. Turning on httpd_builtin_scripting gives httpd_t (i.e. apache) permission to read and write files marked httpd_sys_script_rw_t. This is needed for commits to work. Turning on httpd_enable_cgi gives httpd_t permission to execute scripts (marked httpd_sys_script_exec_t), something which is needed for hooks to work.

# setsebool -P httpd_builtin_scripting=1
# setsebool -P httpd_enable_cgi=1

2. Set the proper security context on the files in the repository. Assuming that all repositories are located under /home/svn, the following commands will do the job. Also make sure that the user apache is running as (e.g. www-data) has read access to the repository and write access to the directories dav and db (this is the script I use for that).

# semanage fcontext -a -t httpd_sys_content_t '/home/svn(/.*)?'
# semanage fcontext -a -t httpd_sys_script_rw_t '/home/svn/[^/]+/(dav|db)(/.*)?'
# semanage fcontext -a -t httpd_sys_script_exec_t '/home/svn/[^/]+/hooks(/.*)?'
# restorecon -Rv /home/svn

3. Make sure selinux-policy-refpolicy-dev is installed.

4. Create the directory mysvn. In that directory, create the file mysvn.te with the following contents:

policy_module(mysvn,0.0.1)

require {
        type httpd_t;
        type shell_exec_t;
        type httpd_sys_script_t;
        type var_run_t;
};

# If hooks are shell scripts, apache must be able to run a shell. The
# hooks will run in httpd_sys_script_t.
allow httpd_t shell_exec_t:file rx_file_perms;

# For some reason the scripts searches /var/run
allow httpd_sys_script_t var_run_t:dir search;

5. Then run:

# make -f /usr/share/selinux/refpolicy-targeted/include/Makefile
# semodule -i mysvn.pp

The mysvn policy module is needed because hooks are normally shell scripts. For apache to be able to run them it must be able to run a shell. Once the scripts have started, they run in the httpd_sys_script_t domain.

Since libsepol1-dev ships with a static version of libsepol, I’ve also recompiled some of the packages that build-depends on libsepol1-dev and added them to the repository as well.

If you wish to use SELinux on you slug and feel that you trust me enough to use my version of this rather central piece of security software, add this to your sources.list:

deb http://eddie.ejohansson.se/debian/ etch main

The version number is the same as the version in etch with ‘a’ added at the end. Hopefully this means that when updated official packages are released they will automatically be upgraded.

If you want information on how to configure SELinux, this guide worked for me. But before you follow that guide (and after installing my updated packages), run ‘dpkg-reconfigure selinux-policy-refpolicy-targeted’ so that the base module and modules for the daemons you’re using are properly loaded.