svnserve is inable to start with SELinux in enforcing mode
Issue
- When we try to get svnserve to start with SELinux in enforcing mode it fails with:
# systemctl start svnserve
Job for svnserve.service failed because the control process exited with error code. See "systemctl status svnserve.service" and "journalctl -xe" for details.
# systemctl status svnserve
â svnserve.service - Subversion protocol daemon
Loaded: loaded (/usr/lib/systemd/system/svnserve.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Thu 2018-12-06 11:03:29 CET; 6s ago
Process: 13428 ExecStart=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid $OPTIONS (code=exited, status=1/FAILURE)
Dec 06 11:03:29 server01 systemd[1]: Starting Subversion protocol daemon...
Dec 06 11:03:29 server01 svnserve[13428]: svnserve: E000013: Can't check path '/pkgs/user1/svnroot/DW_user1': Permission denied
Dec 06 11:03:29 server01 systemd[1]: svnserve.service: control process exited, code=exited status=1
Dec 06 11:03:29 server01 systemd[1]: Failed to start Subversion protocol daemon.
Dec 06 11:03:29 server01 systemd[1]: Unit svnserve.service entered failed state.
Dec 06 11:03:29 server01 systemd[1]: svnserve.service failed.
- AVC
# ausearch -m avc
----
time->Thu Dec 6 11:03:29 2018
type=PROCTITLE msg=audit(1544090609.927:1248826): proctitle=2F7573722F62696E2F73766E7365727665002D2D6461656D6F6E002D2D7069642D66696C653D2F72756E2F73766E73657276652F73766E73657276652E706964002D2D726F6F743D2F706B67732F65746C2F73766E726F6F742F44575F45544C002D2D6C697374656E2D686F73743D6C626E647331333338002D2D6C69737465
type=SYSCALL msg=audit(1544090609.927:1248826): arch=c000003e syscall=4 success=no exit=-13 a0=556384cae470 a1=7fffd9fdbeb0 a2=7fffd9fdbeb0 a3=7fffd9fdb920 items=1 ppid=1 pid=13428 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null)
type=AVC msg=audit(1544090609.927:1248826): avc: denied { dac_read_search } for pid=13428 comm="svnserve" capability=2 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:svnserve_t:s0 tclass=capability
type=AVC msg=audit(1544090609.927:1248826): avc: denied { dac_override } for pid=13428 comm="svnserve" capability=1 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:svnserve_t:s0 tclass=capability
----
time->Thu Dec 6 11:10:38 2018
type=PROCTITLE msg=audit(1544091038.464:1249131): proctitle=2F7573722F62696E2F73766E7365727665002D2D6461656D6F6E002D2D7069642D66696C653D2F72756E2F73766E73657276652F73766E73657276652E706964002D2D726F6F743D2F706B67732F65746C2F73766E726F6F742F44575F45544C002D2D6C697374656E2D686F73743D6C626E647331333338002D2D6C69737465
type=SYSCALL msg=audit(1544091038.464:1249131): arch=c000003e syscall=4 success=yes exit=0 a0=5626ecd7a470 a1=7fff12c81290 a2=7fff12c81290 a3=7fff12c80ce0 items=1 ppid=1 pid=14455 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="svnserve" exe="/usr/bin/svnserve" subj=system_u:system_r:svnserve_t:s0 key=(null)
type=AVC msg=audit(1544091038.464:1249131): avc: denied { dac_override } for pid=14455 comm="svnserve" capability=1 scontext=system_u:system_r:svnserve_t:s0 tcontext=system_u:system_r:svnserve_t:s0 tclass=capability
- If I put the system into 'permissive' mode then svnserve starts.
- The systemd script for svnserver is:-
# more /usr/lib/systemd/system/svnserve.service
[Unit]
Description=Subversion protocol daemon
After=syslog.target network.target
[Service]
Type=forking
EnvironmentFile=/etc/sysconfig/svnserve
ExecStart=/usr/bin/svnserve --daemon --pid-file=/run/svnserve/svnserve.pid $OPTIONS
[Install]
WantedBy=multi-user.target
- The EnvironmentFile is:
# OPTIONS is used to pass command-line arguments to svnserve.
#
# Specify the repository location in -r parameter:
#
#
OPTIONS="--root=/pkgs/user1/svnroot/DW_user1 --listen-host=server01 --listen-port=24399"
- For the "DW_user1" directory the permissions are:-
# ls -alZ /pkgs/user1/svnroot/DW_user1
drwxr-x---. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 .
drwxr-x---. user1 user1 unconfined_u:object_r:default_t:s0 ..
drwxr-x---. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 conf
drwxr-x---. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 custom_commands
drwxr-s---. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 db
-r--r-----. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 format
drwxr-x---. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 hooks
drwxr-x---. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 locks
-rw-r-----. user1 user1 unconfined_u:object_r:svnserve_content_t:s0 README.txt
# ls -dalZ /pkgs/user1/svnroot
drwxr-x---. user1 user1 unconfined_u:object_r:default_t:s0 /pkgs/user1/svnroot
# ls -dalZ /pkgs/user1/
drwxrws---. user1 user1 system_u:object_r:default_t:s0 /pkgs/user1/
# ls -dalZ /pkgs/
drwxr-xr-x. root root unconfined_u:object_r:default_t:s0 /pkgs/
Environment
- Red Hat Enterprise Linux 7.5
- svnserve
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
