On 10/02/2018 02:52 AM, Ryan Schmidt wrote:
>
>
> On Oct 1, 2018, at 22:33, Adam Jensen wrote:
>
>> I am attempting to set up an svn server on Scientific Linux 7.5 using
>> subversion from the wandisco repositry. This is my entire process
>> (below). The current result is:
>>
>> svn list svn://moria.metadatalibrary.org/MAAPSS
>> svn: E170013: Unable to connect to a repository at URL
>> 'svn://moria.metadatalibrary.org/MAAPSS'
>> svn: E000013: Can't open file '/srv/svn/MAAPSS/format': Permission denied
>>
>> Does anyone have any idea what have caused this problem?
>
> Might SELinux be enabled on the server, and if so, might you need to use the
> chcon command to grant the svn user access to that area of the filesystem?
>
>
Thanks, Ryan. I looked at SELinux last night as the potential source of
the problem but dismissed it somehow. Looking at it again earlier today
with fresh eyes, it certainly does seem to be the problem. This is my
solution:
chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn
ls -Z /srv
drwxr-xr-x. svn svn system_u:object_r:svnserve_content_t:s0 svn
# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************
# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn
# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.
And for posterity, here are my problem exploration notes:
-----------------------------------------------------------------------
less /var/log/messages # The relevant parts:
# SELinux is preventing svnserve from read access on the file format.
# If you want to allow svnserve to have read access on the format file
# Then you need to change the label on format
# semanage fcontext -a -t FILE_TYPE 'format'
# where FILE_TYPE is one of the following:
# svnserve_content_t, svnserve_exec_t, svnserve_log_t, svnserve_tmp_t,
svnserve_var_run_t
ps -efZ | grep svn
system_u:system_r:svnserve_t:s0 svn 4700 1 0 Oct01 ?
00:00:00 /usr/bin/svnserve --daemon --pid-file
/run/svnserve/svnserve.pid --root /srv/svn/ --listen-port=3690
--log-file /var/log/svnserve/svnserve.log
ls -Z /srv/
drwxr-xr-x. svn svn unconfined_u:object_r:var_t:s0 svn
sesearch --allow --source svnserve_t --target var_t --class file
# empty output
sesearch --allow --source svnserve_t --target svnserve_content_t --class
file
Found 1 semantic av rules:
allow svnserve_t svnserve_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
sesearch --allow --source svnserve_t --target svnserve_exec_t --class
file
Found 1 semantic av rules:
allow svnserve_t svnserve_exec_t : file { ioctl read getattr lock
execute execute_no_trans entrypoint open } ;
sesearch --allow --source svnserve_t --target svnserve_log_t --class file
Found 2 semantic av rules:
allow svnserve_t svnserve_log_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow daemon logfile : file { ioctl getattr lock append } ;
sesearch --allow --source svnserve_t --target svnserve_tmp_t --class file
Found 2 semantic av rules:
allow svnserve_t svnserve_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow domain tmpfile : file { ioctl read getattr lock append open } ;
sesearch --allow --source svnserve_t --target svnserve_var_run_t --class
file
Found 1 semantic av rules:
allow svnserve_t svnserve_var_run_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
ls -Z /var/log
drwxr-xr-x. svn root unconfined_u:object_r:var_log_t:s0 svnserve
ls -Z /var/log/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_log_t:s0 svnserve.log
ls -Z /run
drwxr-xr-x. svn svn
system_u:object_r:svnserve_var_run_t:s0 svnserve
ls -Z /run/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_var_run_t:s0 svnserve.pid
ls -Z /usr/bin/svnserve
-rwxr-xr-x. root root system_u:object_r:svnserve_exec_t:s0 /usr/bin/svnserve
ls -Z /etc/sasl2/svn.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/sasl2/svn.conf
ls -Z /etc/svn_sasldb
-rw-r-----. svn svn unconfined_u:object_r:etc_t:s0 /etc/svn_sasldb
sesearch --allow --source svnserve_t --target etc_t --class file
Found 1 semantic av rules:
allow domain base_ro_file_type : file { ioctl read getattr lock open } ;
chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn
ls -Z /srv
drwxr-xr-x. svn svn system_u:object_r:svnserve_content_t:s0 svn
# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************
# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn
# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.
-----------------------------------------------------------------------
I made a couple of changes to the setup:
vi /etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/svn_sasldb
mech_list: DIGEST-MD5
grep "^[^#]" /srv/svn/MAAPSS/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = passwd
realm = moria.metadatalibrary.org
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
grep "^[^#]" /srv/svn/MAAPSS/conf/passwd
[users]
Curiously, on the local machine "moria" this works:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************
But from a machine on the LAN (also SL-7.5 with the same wandisco svn):
svn list svn://moria.metadatalibrary.org/MAAPSS/
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E210007: Cannot negotiate authentication mechanism
Do you suppose this is a network configuration problem rather than an
svn configuration problem?
