HgServe SeLinux

Jérôme Godbout jerome at bodycad.com
Thu Aug 3 16:09:39 UTC 2017 

Hi,
I seem to have a few problems with writing over a CIFS share mount drive
and hgserve with Apache cgi. I'm with CentOS 7.
When I disable selinux everything work just fine. Permission are ok with
apache as the drive is mount with the following fastab entry:

//url/server /mnt/hg cifs
auto,credentials=/root/credentials,uid=apache,gid=apache,dir_mode=0777,file_mode=0777
0 0

 I have the selinux into enforce mode and the following setbools:
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> on
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

if I ls -Zla into my .hg repos:
drwxr-x---. apache apache system_u:object_r:cifs_t:s0      .
drwxr-x---. apache apache system_u:object_r:cifs_t:s0      ..
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      00changelog.i
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      bookmarks
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      branch
drwxr-x---. apache apache system_u:object_r:cifs_t:s0      cache
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      cur-message.txt
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      dirstate
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      hgrc
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      last-message.txt
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      localtags
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      requires
drwxr-x---. apache apache system_u:object_r:cifs_t:s0      shelves
drwxr-x---. apache apache system_u:object_r:cifs_t:s0      store
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      thgstatus
drwxr-x---. apache apache system_u:object_r:cifs_t:s0      Trashcan
-rw-r-----. apache apache system_u:object_r:cifs_t:s0
 undo.backup.dirstate
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.bookmarks
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.branch
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.desc
-rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.dirstate

seem right to me.

but I get the following timeout into apache access log:
10.1.31.171 - - [03/Aug/2017:10:28:38 -0400] "POST /Bodycad/?cmd=unbundle
HTTP/1.1" 504 247

and the following into the error log:
[Thu Aug 03 10:29:38.958597 2017] [cgi:warn] [pid 11036] [client
10.1.31.171:58342] AH01220: Timeout waiting for output from CGI script
/var/www/cgi-bin/hgweb.cgi
[Thu Aug 03 10:29:38.958638 2017] [cgi:error] [pid 11036] [client
10.1.31.171:58342] Script timed out before returning headers: hgweb.cgi
[Thu Aug 03 10:30:39.005556 2017] [cgi:warn] [pid 11036] [client
10.1.31.171:58342] AH01220: Timeout waiting for output from CGI script
/var/www/cgi-bin/hgweb.cgi

The get seem to work just fine
10.1.31.171 - - [03/Aug/2017:10:31:07 -0400] "GET
/Bodycad/?cmd=capabilities HTTP/1.1" 200 330
10.1.31.171 - - [03/Aug/2017:10:31:07 -0400] "GET /Bodycad/?cmd=batch
HTTP/1.1" 200 3403
10.1.31.171 - - [03/Aug/2017:10:31:08 -0400] "GET /Bodycad/?cmd=getbundle
HTTP/1.1" 200 586


Anybody have any idea what is missing to make this work so I can re enable
selinux? The server just timeout when wrtiting with SELinux enabled.

[image: bodycad] <https://www.bodycad.com/>
Jerome Godbout
Software Developer
2035 rue du Haut-Bord, Québec, QC, Canada. G1N 4R7
T:  +1 418 527-1388
E: jerome at bodycad.com
www.bodycad.com

The contents of this email message and any attachments are intended solely
for the addressee(s) and may contain confidential and/or privileged
information and may be legally protected from disclosure. If you are not
the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, copying, or storage of this message or its attachments is
strictly prohibited.

Le contenu de ce message et les pièces jointes sont destinés uniquement
pour le(s) destinataire(s) et peuvent contenir des informations
confidentielles et / ou privilégiées qui peuvent être protégées légalement
contre toute divulgation. Si vous n'êtes pas le destinataire de ce message
ou son agent, ou si ce message vous a été adressé par erreur, s’il vous
plaît avertir immédiatement l'expéditeur par courriel de réponse, puis
supprimer ce message et les pièces jointes. Si vous n'êtes pas le
destinataire prévu, vous êtes par la présente informé que toute
utilisation, diffusion, copie, ou stockage de ce message ou de ses pièces
jointes est strictement interdit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial/attachments/20170803/c9763c05/attachment.html>

More information about the Mercurial mailing list