Re: svnserve setup on RHEL-7.5

2018-10-02 Thread Adam Jensen 
On 10/02/2018 02:52 AM, Ryan Schmidt wrote:
> 
> 
> On Oct 1, 2018, at 22:33, Adam Jensen wrote:
> 
>> I am attempting to set up an svn server on Scientific Linux 7.5 using
>> subversion from the wandisco repositry. This is my entire process
>> (below). The current result is:
>>
>> svn list svn://moria.metadatalibrary.org/MAAPSS
>> svn: E170013: Unable to connect to a repository at URL
>> 'svn://moria.metadatalibrary.org/MAAPSS'
>> svn: E13: Can't open file '/srv/svn/MAAPSS/format': Permission denied
>>
>> Does anyone have any idea what have caused this problem?
> 
> Might SELinux be enabled on the server, and if so, might you need to use the 
> chcon command to grant the svn user access to that area of the filesystem?
> 
> 


Thanks, Ryan. I looked at SELinux last night as the potential source of
the problem but dismissed it somehow. Looking at it again earlier today
with fresh eyes, it certainly does seem to be the problem. This is my
solution:

chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn

ls -Z /srv
drwxr-xr-x. svnsvnsystem_u:object_r:svnserve_content_t:s0 svn

# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: 
moria.metadatalibrary.org
Password for 'hanzer': *


# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn

# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.


And for posterity, here are my problem exploration notes:

---
less /var/log/messages  # The relevant parts:
# SELinux is preventing svnserve from read access on the file format.
# If you want to allow svnserve to have read access on the format file
# Then you need to change the label on format
# semanage fcontext -a -t FILE_TYPE 'format'
# where FILE_TYPE is one of the following:
# svnserve_content_t, svnserve_exec_t, svnserve_log_t, svnserve_tmp_t,
svnserve_var_run_t

ps -efZ | grep svn
system_u:system_r:svnserve_t:s0 svn   4700 1  0 Oct01 ?
00:00:00 /usr/bin/svnserve --daemon --pid-file
/run/svnserve/svnserve.pid --root /srv/svn/ --listen-port=3690
--log-file /var/log/svnserve/svnserve.log

ls -Z /srv/
drwxr-xr-x. svnsvnunconfined_u:object_r:var_t:s0   svn

sesearch --allow --source svnserve_t --target var_t --class file
# empty output

sesearch --allow --source svnserve_t --target svnserve_content_t --class
file
Found 1 semantic av rules:
   allow svnserve_t svnserve_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;

sesearch --allow --source svnserve_t --target svnserve_exec_t --class
file
Found 1 semantic av rules:
   allow svnserve_t svnserve_exec_t : file { ioctl read getattr lock
execute execute_no_trans entrypoint open } ;

sesearch --allow --source svnserve_t --target svnserve_log_t --class file
Found 2 semantic av rules:
   allow svnserve_t svnserve_log_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow daemon logfile : file { ioctl getattr lock append } ;

sesearch --allow --source svnserve_t --target svnserve_tmp_t --class file
Found 2 semantic av rules:
   allow svnserve_t svnserve_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
   allow domain tmpfile : file { ioctl read getattr lock append open } ;

sesearch --allow --source svnserve_t --target svnserve_var_run_t --class
file
Found 1 semantic av rules:
   allow svnserve_t svnserve_var_run_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;


ls -Z /var/log
drwxr-xr-x. svn rootunconfined_u:object_r:var_log_t:s0 svnserve

ls -Z /var/log/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_log_t:s0 svnserve.log

ls -Z /run
drwxr-xr-x. svnsvn
system_u:object_r:svnserve_var_run_t:s0 svnserve

ls -Z /run/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_var_run_t:s0 svnserve.pid

ls -Z /usr/bin/svnserve
-rwxr-xr-x. root root system_u:object_r:svnserve_exec_t:s0 /usr/bin/svnserve

ls -Z /etc/sasl2/svn.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0   /etc/sasl2/svn.conf

ls -Z /etc/svn_sasldb
-rw-r-. svn svn unconfined_u:object_r:etc_t:s0   /etc/svn_sasldb

sesearch --allow --source svnserve_t --target etc_t --class file
Found 1 semantic av rules:
   allow domain base_ro_file_type : file { ioctl read getattr lock open } ;

chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn

ls -Z /srv
drwxr-xr-x. svnsvnsystem_u:object_r:svnserve_content_t:s0 svn

# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: 
moria.metadatalibrary.org
Password for 'hanzer': *


# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn

# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.

[ANNOUNCE] Apache Subversion 1.11.0-rc2 released

2018-10-02 Thread Julian Foad 
I'm happy to announce the release of Apache Subversion 1.11.0-rc2.
Please choose the mirror closest to you by visiting:

https://subversion.apache.org/download.cgi#pre-releases

SHA-512 checksums are available at:

https://www.apache.org/dist/subversion/subversion-1.11.0-rc2.tar.bz2.sha512
https://www.apache.org/dist/subversion/subversion-1.11.0-rc2.tar.gz.sha512
https://www.apache.org/dist/subversion/subversion-1.11.0-rc2.zip.sha512

PGP Signatures are available at:

https://www.apache.org/dist/subversion/subversion-1.11.0-rc2.tar.bz2.asc
https://www.apache.org/dist/subversion/subversion-1.11.0-rc2.tar.gz.asc
https://www.apache.org/dist/subversion/subversion-1.11.0-rc2.zip.asc

For this release, the following people have provided PGP signatures:

   Julian Foad [4096R/1FB064B84EECC493] with fingerprint:
6011 63CF 9D49 9FD7 18CF  582D 1FB0 64B8 4EEC C493
   Branko Čibej [4096R/1BCA6586A347943F] with fingerprint:
BA3C 15B1 337C F0FB 222B  D41A 1BCA 6586 A347 943F
   Stefan Sperling [2048R/4F7DBAA99A59B973] with fingerprint:
8BC4 DAE0 C5A4 D65F 4044  0107 4F7D BAA9 9A59 B973
   Johan Corveleyn [4096R/B59CE6D6010C8AAD] with fingerprint:
8AA2 C10E EAAD 44F9 6972  7AEA B59C E6D6 010C 8AAD

This is a pre-release for what will eventually become version 1.11.0 of the
Apache Subversion open source version control system.  It may contain known
issues, a complete list of 1.11.0-blocking issues can be found
here:


https://issues.apache.org/jira/issues/?jql=project%20%3D%20SVN%20AND%20resolution%20%3D%20Unresolved%20AND%20fixVersion%20%3D%201.11.0%20ORDER%20BY%20priority%20DESC%2C%20updated%20DESC

A pre-release means the Subversion developers feel that this release
is ready for widespread testing by the community.  There are known issues
(and unknown ones!), so please use it at your own risk, though we do
encourage people to test this release thoroughly.  Of particular note, please
remember that persistent data, such as the working copy or repository
formats may change before the final release, and there may not be an
upgrade path from the pre-releases to the final.

As a note to operating system distro packagers: while we wish to have this
release candidate widely tested, we do not feel that it is ready for packaging
and providing to end-users through a distro package system.  Packaging a
release candidate poses many problems, the biggest being that our policy lets
us break compatibility between the release candidate and the final release, if
we find something serious enough.  Having many users depending on a release
candidate through their distro would cause no end of pain and frustration that
we do not want to have to deal with.  However, if your distro has a branch that
is clearly labeled as containing experimental and often broken software, and
explicitly destined to consenting developers and integrators only, then we're
okay with packaging the release candidate there.  Just don't let it near the
end users please.


Release notes for the 1.11.x release series may be found at:

https://subversion.apache.org/docs/release-notes/1.11.html

You can find the list of changes between 1.11.0-rc2 and earlier versions at:

https://svn.apache.org/repos/asf/subversion/tags/1.11.0-rc2/CHANGES

Questions, comments, and bug reports to users@subversion.apache.org.

Thanks,
- The Subversion Team

--
To unsubscribe, please see:

https://subversion.apache.org/mailing-lists.html#unsubscribing