HgServe SeLinux

Jérôme Godbout jerome at bodycad.com
Thu Aug 3 14:42:04 EDT 2017 

Sorry for the noise, I found my problems was with a hgrc hook that was
performing a wget, so I needed to enable:

setsebool -P httpd_can_network_connect on

httpd_can_network_connect --> on


[image: bodycad] <https://www.bodycad.com/>
Jerome Godbout
Software Developer
2035 rue du Haut-Bord, Québec, QC, Canada. G1N 4R7
T:  +1 418 527-1388
E: jerome at bodycad.com
www.bodycad.com

The contents of this email message and any attachments are intended solely
for the addressee(s) and may contain confidential and/or privileged
information and may be legally protected from disclosure. If you are not
the intended recipient of this message or their agent, or if this message
has been addressed to you in error, please immediately alert the sender by
reply email and then delete this message and any attachments. If you are
not the intended recipient, you are hereby notified that any use,
dissemination, copying, or storage of this message or its attachments is
strictly prohibited.

Le contenu de ce message et les pièces jointes sont destinés uniquement
pour le(s) destinataire(s) et peuvent contenir des informations
confidentielles et / ou privilégiées qui peuvent être protégées légalement
contre toute divulgation. Si vous n'êtes pas le destinataire de ce message
ou son agent, ou si ce message vous a été adressé par erreur, s’il vous
plaît avertir immédiatement l'expéditeur par courriel de réponse, puis
supprimer ce message et les pièces jointes. Si vous n'êtes pas le
destinataire prévu, vous êtes par la présente informé que toute
utilisation, diffusion, copie, ou stockage de ce message ou de ses pièces
jointes est strictement interdit.

On Thu, Aug 3, 2017 at 12:09 PM, Jérôme Godbout <jerome at bodycad.com> wrote:

> Hi,
> I seem to have a few problems with writing over a CIFS share mount drive
> and hgserve with Apache cgi. I'm with CentOS 7.
> When I disable selinux everything work just fine. Permission are ok with
> apache as the drive is mount with the following fastab entry:
>
> //url/server /mnt/hg cifs auto,credentials=/root/
> credentials,uid=apache,gid=apache,dir_mode=0777,file_mode=0777 0 0
>
>  I have the selinux into enforce mode and the following setbools:
> httpd_anon_write --> off
> httpd_builtin_scripting --> on
> httpd_can_check_spam --> off
> httpd_can_connect_ftp --> off
> httpd_can_connect_ldap --> off
> httpd_can_connect_mythtv --> off
> httpd_can_connect_zabbix --> off
> httpd_can_network_connect --> off
> httpd_can_network_connect_cobbler --> off
> httpd_can_network_connect_db --> off
> httpd_can_network_memcache --> off
> httpd_can_network_relay --> off
> httpd_can_sendmail --> off
> httpd_dbus_avahi --> off
> httpd_dbus_sssd --> off
> httpd_dontaudit_search_dirs --> off
> httpd_enable_cgi --> on
> httpd_enable_ftp_server --> off
> httpd_enable_homedirs --> off
> httpd_execmem --> off
> httpd_graceful_shutdown --> on
> httpd_manage_ipa --> off
> httpd_mod_auth_ntlm_winbind --> off
> httpd_mod_auth_pam --> off
> httpd_read_user_content --> off
> httpd_run_ipa --> off
> httpd_run_preupgrade --> off
> httpd_run_stickshift --> off
> httpd_serve_cobbler_files --> off
> httpd_setrlimit --> off
> httpd_ssi_exec --> off
> httpd_sys_script_anon_write --> off
> httpd_tmp_exec --> off
> httpd_tty_comm --> off
> httpd_unified --> off
> httpd_use_cifs --> on
> httpd_use_fusefs --> off
> httpd_use_gpg --> off
> httpd_use_nfs --> off
> httpd_use_openstack --> off
> httpd_use_sasl --> off
> httpd_verify_dns --> off
>
> if I ls -Zla into my .hg repos:
> drwxr-x---. apache apache system_u:object_r:cifs_t:s0      .
> drwxr-x---. apache apache system_u:object_r:cifs_t:s0      ..
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      00changelog.i
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      bookmarks
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      branch
> drwxr-x---. apache apache system_u:object_r:cifs_t:s0      cache
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      cur-message.txt
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      dirstate
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      hgrc
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      last-message.txt
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      localtags
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      requires
> drwxr-x---. apache apache system_u:object_r:cifs_t:s0      shelves
> drwxr-x---. apache apache system_u:object_r:cifs_t:s0      store
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      thgstatus
> drwxr-x---. apache apache system_u:object_r:cifs_t:s0      Trashcan
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0
>  undo.backup.dirstate
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.bookmarks
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.branch
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.desc
> -rw-r-----. apache apache system_u:object_r:cifs_t:s0      undo.dirstate
>
> seem right to me.
>
> but I get the following timeout into apache access log:
> 10.1.31.171 - - [03/Aug/2017:10:28:38 -0400] "POST /Bodycad/?cmd=unbundle
> HTTP/1.1" 504 247
>
> and the following into the error log:
> [Thu Aug 03 10:29:38.958597 2017] [cgi:warn] [pid 11036] [client
> 10.1.31.171:58342] AH01220: Timeout waiting for output from CGI script
> /var/www/cgi-bin/hgweb.cgi
> [Thu Aug 03 10:29:38.958638 2017] [cgi:error] [pid 11036] [client
> 10.1.31.171:58342] Script timed out before returning headers: hgweb.cgi
> [Thu Aug 03 10:30:39.005556 2017] [cgi:warn] [pid 11036] [client
> 10.1.31.171:58342] AH01220: Timeout waiting for output from CGI script
> /var/www/cgi-bin/hgweb.cgi
>
> The get seem to work just fine
> 10.1.31.171 - - [03/Aug/2017:10:31:07 -0400] "GET
> /Bodycad/?cmd=capabilities HTTP/1.1" 200 330
> 10.1.31.171 - - [03/Aug/2017:10:31:07 -0400] "GET /Bodycad/?cmd=batch
> HTTP/1.1" 200 3403
> 10.1.31.171 - - [03/Aug/2017:10:31:08 -0400] "GET /Bodycad/?cmd=getbundle
> HTTP/1.1" 200 586
>
>
> Anybody have any idea what is missing to make this work so I can re enable
> selinux? The server just timeout when wrtiting with SELinux enabled.
>
> [image: bodycad] <https://www.bodycad.com/>
> Jerome Godbout
> Software Developer
> 2035 rue du Haut-Bord, Québec, QC, Canada. G1N 4R7
> T:  +1 418 527-1388 <(418)%20527-1388>
> E: jerome at bodycad.com
> www.bodycad.com
>
> The contents of this email message and any attachments are intended solely
> for the addressee(s) and may contain confidential and/or privileged
> information and may be legally protected from disclosure. If you are not
> the intended recipient of this message or their agent, or if this message
> has been addressed to you in error, please immediately alert the sender by
> reply email and then delete this message and any attachments. If you are
> not the intended recipient, you are hereby notified that any use,
> dissemination, copying, or storage of this message or its attachments is
> strictly prohibited.
>
> Le contenu de ce message et les pièces jointes sont destinés uniquement
> pour le(s) destinataire(s) et peuvent contenir des informations
> confidentielles et / ou privilégiées qui peuvent être protégées légalement
> contre toute divulgation. Si vous n'êtes pas le destinataire de ce message
> ou son agent, ou si ce message vous a été adressé par erreur, s’il vous
> plaît avertir immédiatement l'expéditeur par courriel de réponse, puis
> supprimer ce message et les pièces jointes. Si vous n'êtes pas le
> destinataire prévu, vous êtes par la présente informé que toute
> utilisation, diffusion, copie, ou stockage de ce message ou de ses pièces
> jointes est strictement interdit.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.mercurial-scm.org/pipermail/mercurial/attachments/20170803/040c223d/attachment.html>

More information about the Mercurial mailing list