[lug] SElinux boolean for webdav/svn

[D. Stimits]

D. Stimits wrote:

Long story short, this is now solved, and thought a post might help 
people looking. Originally the svn/webdav had worked fine. All was 
labeled with the standard httpd_sys_content_t. I'm *guessing* that one 
of the yum updates of targeted policy created a finer grained set of 
contexts. This same label became restricted to read only, and new 
writable contexts seem to be added (although I suppose the writable 
could have always been there, and the basic context might have been 
simply set read only). man httpd_selinux lists some chcon options that 
solved this, I just had to use the rw variation. Gotta love man pages.

D. Stimits, stimits AT comcast DOT net

> I was able to set SElinux boolean httpd_disable_trans to active to 
> allow regular developers on a CentOS 4 server. It runs yum update 
> every night, so it updates the targeted policy (which it uses). The 
> regular developers were able to update some files, others got rejected 
> for unknown reasons, which is why I disabled part of apache via 
> httpd_disable_trans.
>
> Now there is a new problem, I believe to be unrelated. Subversion 
> apache/webdav checkouts work, but subversion checkins are denied. 
> Piping the message to audit2allow shows:
> allow httpd_t httpd_sys_content_t:dir write;
>
> The svn repo is itself under /var/www/ as another subdirectory, and is 
> what I believe to be properly labeled as httpd_sys_content_t. Ordinary 
> permissions are fine. Somehow I must either disable SElinux f or this 
> one place (all of httpd disable is fine with me), or allow it to write 
> with some means such as a chcon command. Can anyone tell me either 
> which SElinux boolean would disable SElinux for this svn/webdav setup? 
> Or how to label the subdirectory as writable? It worked until 
> recently, I think one of the targeted policy updates broke it.