Discussion:
svnserve setup on RHEL-7.5
Adam Jensen
2018-10-02 03:33:13 UTC
Permalink
Hi,

I am attempting to set up an svn server on Scientific Linux 7.5 using
subversion from the wandisco repositry. This is my entire process
(below). The current result is:

svn list svn://moria.metadatalibrary.org/MAAPSS
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E000013: Can't open file '/srv/svn/MAAPSS/format': Permission denied

Does anyone have any idea what have caused this problem?

--------------------------------------------------------------------------
cat /etc/yum.repos.d/wandisco-svn.repo
[WandiscoSVN]
name=Wandisco SVN Repo
baseurl=http://opensource.wandisco.com/centos/7/svn-1.10/RPMS/x86_64/
enabled=1
gpgcheck=0

rpm -q subversion
subversion-1.10.2-1.x86_64

svnserve --version
svnserve, version 1.10.2 (r1835932)
compiled Jul 24 2018, 15:08:17 on x86_64-redhat-linux-gnu

Copyright (C) 2018 The Apache Software Foundation.
This software consists of contributions made by many people;
see the NOTICE file for more information.
Subversion is open source software, see http://subversion.apache.org/

The following repository back-end (FS) modules are available:

* fs_fs : Module for working with a plain file (FSFS) repository.
* fs_x : Module for working with an experimental (FSX) repository.
* fs_base : Module for working with a Berkeley DB repository.

Cyrus SASL authentication is available.

groupadd -g 502 svn
useradd -c "SVN" -d /srv/svn -g 502 -u 502 -s /sbin/nologin -M svn
mkdir /srv/svn
chown -R svn:svn /srv/svn/

sudo -u svn svnadmin create /srv/svn/MAAPSS
sudo -u svn vi /srv/svn/MAAPSS/conf/svnserve.conf

vi /etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/svn_sasldb
mech_list: DIGEST-MD5 CRAM-MD5

saslpasswd2 -c -f /etc/svn_sasldb -u moria.metadatalibrary.org hanzer

chown svn:svn /etc/svn_sasldb

vi /etc/systemd/system/svnserve.service
[Unit]
Description=Subversion protocol daemon
After=syslog.target network.target

[Service]
Type=forking
RuntimeDirectory=svnserve
PIDFile=/run/svnserve/svnserve.pid
EnvironmentFile=/etc/default/svnserve
ExecStart=/usr/bin/svnserve $DAEMON_ARGS
User=svn
Group=svn
KillMode=control-group
Restart=on-failure

[Install]
WantedBy=multi-user.target
Alias=svnserve.service

vi /etc/default/svnserve
# svnserve options
DAEMON_ARGS="--daemon --pid-file /run/svnserve/svnserve.pid --root
/srv/svn/ --listen-port=3690 --log-file /var/log/svnserve/svnserve.log"

mkdir /var/log/svnserve; chown svn /var/log/svnserve

vi /etc/logrotate.d/svnserve
/var/log/svnserve/*.log {
daily
missingok
rotate 14
compress
notifempty
create 660 svn root
sharedscripts
postrotate
if /usr/bin/systemctl status svnserve > /dev/null ; then \
/usr/bin/systemctl restart svnserve > /dev/null; \
fi;
endscript
}

systemctl start svnserve.service

systemctl status svnserve.service
● svnserve.service - Subversion protocol daemon
Loaded: loaded (/etc/systemd/system/svnserve.service; disabled;
vendor preset: disabled)
Active: active (running) since Mon 2018-10-01 23:06:29 EDT; 2s ago
Process: 4049 ExecStart=/usr/bin/svnserve $DAEMON_ARGS (code=exited,
status=0/SUCCESS)
Main PID: 4050 (svnserve)
CGroup: /system.slice/svnserve.service
└─4050 /usr/bin/svnserve --daemon --pid-file
/run/svnserve/svnserve.pid --root /srv/svn/ --listen-port=3690
--log-file /var/log/s...

Oct 01 23:06:29 moria.metadatalibrary.org systemd[1]: Starting
Subversion protocol daemon...
Oct 01 23:06:29 moria.metadatalibrary.org systemd[1]: Started Subversion
protocol daemon.

firewall-cmd --zone=internal --permanent --add-port=3690/tcp
firewall-cmd --reload
--------------------------------------------------------------------------

svn list svn://moria.metadatalibrary.org/MAAPSS
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E000013: Can't open file '/srv/svn/MAAPSS/format': Permission denied

ls -l /srv/svn/MAAPSS
total 12
drwxr-xr-x. 2 svn svn 96 Oct 1 23:18 conf
drwxr-sr-x. 6 svn svn 4096 Oct 1 22:09 db
-r--r--r--. 1 svn svn 2 Oct 1 22:09 format
drwxr-xr-x. 2 svn svn 271 Oct 1 22:09 hooks
drwxr-xr-x. 2 svn svn 53 Oct 1 22:09 locks
-rw-r--r--. 1 svn svn 246 Oct 1 22:09 README.txt

ps -aux | grep svn

svn 4388 0.0 0.0 181276 1232 ? Ss 23:18 0:00
/usr/bin/svnserve --daemon --pid-file /run/svnserve/svnserve.pid --root
/srv/svn/ --listen-port=3690 --log-file /var/log/svnserve/svnserve.log
Ryan Schmidt
2018-10-02 06:52:53 UTC
Permalink
Post by Adam Jensen
I am attempting to set up an svn server on Scientific Linux 7.5 using
subversion from the wandisco repositry. This is my entire process
svn list svn://moria.metadatalibrary.org/MAAPSS
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E000013: Can't open file '/srv/svn/MAAPSS/format': Permission denied
Does anyone have any idea what have caused this problem?
Might SELinux be enabled on the server, and if so, might you need to use the chcon command to grant the svn user access to that area of the filesystem?
Adam Jensen
2018-10-02 18:35:00 UTC
Permalink
Post by Ryan Schmidt
Post by Adam Jensen
I am attempting to set up an svn server on Scientific Linux 7.5 using
subversion from the wandisco repositry. This is my entire process
svn list svn://moria.metadatalibrary.org/MAAPSS
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E000013: Can't open file '/srv/svn/MAAPSS/format': Permission denied
Does anyone have any idea what have caused this problem?
Might SELinux be enabled on the server, and if so, might you need to use the chcon command to grant the svn user access to that area of the filesystem?
Thanks, Ryan. I looked at SELinux last night as the potential source of
the problem but dismissed it somehow. Looking at it again earlier today
with fresh eyes, it certainly does seem to be the problem. This is my
solution:

chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn

ls -Z /srv
drwxr-xr-x. svn svn system_u:object_r:svnserve_content_t:s0 svn

# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************


# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn

# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.


And for posterity, here are my problem exploration notes:

-----------------------------------------------------------------------
less /var/log/messages # The relevant parts:
# SELinux is preventing svnserve from read access on the file format.
# If you want to allow svnserve to have read access on the format file
# Then you need to change the label on format
# semanage fcontext -a -t FILE_TYPE 'format'
# where FILE_TYPE is one of the following:
# svnserve_content_t, svnserve_exec_t, svnserve_log_t, svnserve_tmp_t,
svnserve_var_run_t

ps -efZ | grep svn
system_u:system_r:svnserve_t:s0 svn 4700 1 0 Oct01 ?
00:00:00 /usr/bin/svnserve --daemon --pid-file
/run/svnserve/svnserve.pid --root /srv/svn/ --listen-port=3690
--log-file /var/log/svnserve/svnserve.log

ls -Z /srv/
drwxr-xr-x. svn svn unconfined_u:object_r:var_t:s0 svn

sesearch --allow --source svnserve_t --target var_t --class file
# empty output

sesearch --allow --source svnserve_t --target svnserve_content_t --class
file
Found 1 semantic av rules:
allow svnserve_t svnserve_content_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;

sesearch --allow --source svnserve_t --target svnserve_exec_t --class
file
Found 1 semantic av rules:
allow svnserve_t svnserve_exec_t : file { ioctl read getattr lock
execute execute_no_trans entrypoint open } ;

sesearch --allow --source svnserve_t --target svnserve_log_t --class file
Found 2 semantic av rules:
allow svnserve_t svnserve_log_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow daemon logfile : file { ioctl getattr lock append } ;

sesearch --allow --source svnserve_t --target svnserve_tmp_t --class file
Found 2 semantic av rules:
allow svnserve_t svnserve_tmp_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;
allow domain tmpfile : file { ioctl read getattr lock append open } ;

sesearch --allow --source svnserve_t --target svnserve_var_run_t --class
file
Found 1 semantic av rules:
allow svnserve_t svnserve_var_run_t : file { ioctl read write create
getattr setattr lock append unlink link rename open } ;


ls -Z /var/log
drwxr-xr-x. svn root unconfined_u:object_r:var_log_t:s0 svnserve

ls -Z /var/log/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_log_t:s0 svnserve.log

ls -Z /run
drwxr-xr-x. svn svn
system_u:object_r:svnserve_var_run_t:s0 svnserve

ls -Z /run/svnserve/
-rw-r--r--. svn svn system_u:object_r:svnserve_var_run_t:s0 svnserve.pid

ls -Z /usr/bin/svnserve
-rwxr-xr-x. root root system_u:object_r:svnserve_exec_t:s0 /usr/bin/svnserve

ls -Z /etc/sasl2/svn.conf
-rw-r--r--. root root unconfined_u:object_r:etc_t:s0 /etc/sasl2/svn.conf

ls -Z /etc/svn_sasldb
-rw-r-----. svn svn unconfined_u:object_r:etc_t:s0 /etc/svn_sasldb

sesearch --allow --source svnserve_t --target etc_t --class file
Found 1 semantic av rules:
allow domain base_ro_file_type : file { ioctl read getattr lock open } ;

chcon -Rv --user system_u /srv/svn
chcon -Rv --type svnserve_content_t /srv/svn

ls -Z /srv
drwxr-xr-x. svn svn system_u:object_r:svnserve_content_t:s0 svn

# Test it:
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************


# Make it permanent:
semanage fcontext -a -s system_u -t svnserve_content_t "/srv/svn(/.*)?"
restorecon -R -v /srv/svn

# Verify:
matchpathcon -V /srv/svn
/srv/svn verified.
-----------------------------------------------------------------------

I made a couple of changes to the setup:

vi /etc/sasl2/svn.conf
pwcheck_method: auxprop
auxprop_plugin: sasldb
sasldb_path: /etc/svn_sasldb
mech_list: DIGEST-MD5

grep "^[^#]" /srv/svn/MAAPSS/conf/svnserve.conf
[general]
anon-access = none
auth-access = write
password-db = passwd
realm = moria.metadatalibrary.org
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256

grep "^[^#]" /srv/svn/MAAPSS/conf/passwd
[users]


Curiously, on the local machine "moria" this works:

svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************


But from a machine on the LAN (also SL-7.5 with the same wandisco svn):

svn list svn://moria.metadatalibrary.org/MAAPSS/
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E210007: Cannot negotiate authentication mechanism


Do you suppose this is a network configuration problem rather than an
svn configuration problem?
Adam Jensen
2018-10-03 14:04:42 UTC
Permalink
Post by Adam Jensen
svn list svn://moria.metadatalibrary.org/MAAPSS/
Authentication realm: <svn://moria.metadatalibrary.org:3690>
moria.metadatalibrary.org
Password for 'hanzer': *************
svn list svn://moria.metadatalibrary.org/MAAPSS/
svn: E170013: Unable to connect to a repository at URL
'svn://moria.metadatalibrary.org/MAAPSS'
svn: E210007: Cannot negotiate authentication mechanism
Do you suppose this is a network configuration problem rather than an
svn configuration problem?
It turns out the SL-7.5 client machine on the LAN needed the package:

yum install cyrus-sasl-md5.x86_64

With that, 'svn list ...' seems to work just fine.

Loading...