RE: viewvc-1.0.3 / svn 1.4.3, Permission denied

Hello,

I am surprised that the following mail I sent on Friday didn't make its
way to the archive.
Anyway, I solved my problem which was an SElinux one:
by default, the httpd daemon was not allowed to run scripts from the
/usr/ hierarchy.
Using an audit2allow, several times in a row, and combining the rules
produced,
I could work around it.

Marc

> -----Original Message-----
> From: marc.girod@xxxxxxxx [mailto:marc.girod@xxxxxxxx] 
> Sent: 30 March 2007 11:45
> To: users@xxxxxxxxxxxxxxxxx
> Cc: Girod, Marc
> Subject: viewvc-1.0.3 / svn 1.4.3, Permission denied
> 
> Hello,
> 
> I just installed svn 1.4.3 on RHES 4, x86_64, then viewvc-1.0.3,
> but whe I try to use it, I get a 500 error, with the following in the 
> httpd/error_log:
> 
> [Fri Mar 30 11:16:22 2007] [error] [client 10.5.2.144] 
> (13)Permission denied: exec of 
> '/usr/local/viewvc-1.0.3/bin/cgi/viewvc.cgi' failed
> [Fri Mar 30 11:16:22 2007] [error] [client 10.5.2.144] 
> Premature end of script headers: viewvc.cgi
> 
> I also have in 'messages':
> 
> Mar 30 11:16:22 pddubsvn1 kernel: audit(1175249782.920:0): 
> avc:  denied  { execute } for  pid=2229 exe=/usr/sbin/httpd 
> name=viewvc.cgi dev=dm-3 ino=786889 
> scontext=root:system_r:httpd_t tcontext=root:object_r:usr_t 
> tclass=file
> 
> 
> I cannot see where is this permission denied problem.
> - the script itself is executable (and produces a reasonable stdout):
>   $ cd /usr/local/viewvc-1.0.3/bin/cgi/
>   $ ls -l viewvc.cgi
>   -rwxr-xr-x  1 root root 1779 Mar 29 16:50 viewvc.cgi
> - the svn root directory, and the only repo are accessible:
>   $ cd /x1/svnroot
>   $ ls -la
>   total 24
>   drwxrwxr-x  3 root   iona 4096 Mar 29 17:27 .
>   drwxrwxr-x  4 root   iona 4096 Mar 28 17:59 ..
>   drwxrwxr-x  7 vobadm iona 4096 Mar 29 17:27 foo
> - I do have an httpd pam module:
>   $ cd /etc/pam.d
>   $ cat httpd
>   #%PAM-1.0
>   auth       required     pam_stack.so service=system-auth
>   auth       required     pam_nologin.so
>   account    required     pam_stack.so service=system-auth
>   password   required     pam_stack.so service=system-auth
>   session    required     pam_stack.so service=system-auth
> 
> - httpd://pddubsvn1/repos/foo dav urls work fine
> - viewvc is setup in httpd.conf:
>   $ grep /viewsvn /etc/httpd/conf/httpd.conf
>   ScriptAlias /viewsvn "/usr/local/viewvc-1.0.3/bin/cgi/viewvc.cgi"
> 
> 
> Googling around for 'avc denied' returns something about SElinux,
> and ...labels on /dev...
> 
> Any help for me to orient myself?
> I didn't install this box from scratch, and I have no experience
> with SElinux...
> 
> Marc
>