After a few yum updates, I finally noticed that my mercurial web interface was not working anymore. Every attempt to push resulted in
abort: HTTP Error 500: Permission denied
Errors. First I ran
sealert –b, but there were no listed denials. I rechecked the ownership and permissions on all the files in the repository, there was no visible problem. I rechecked the httpd conf and the repository confs, same story. I grepped
/var/logs/audit/audit.log for the string “httpd” and found nothing with any errors or denials. I tried
journalctl –l _SYSTEMD_UNIT=httpd.servcice and got nothing as well.
ls –Z on both the repository directory (
/var/repositories/mercurial) , and the web document root containing the cgi script (
The Repository /var/repositories/mercurial looks like this:
drwxrwxr-x. 47 unconfined_u:object_r:var_t:s0 hguser repo_users 4.0K Aug 13 16:00 . drwxrwxr-x. 3 unconfined_u:object_r:var_t:s0 hguser repo_users 4.0K Aug 24 13:24 AStyle
And the document root /var/mercurial looks like this:
drwxrwxr-x. 2 unconfined_u:object_r:var_t:s0 hguser repo_users 4.0K Oct 2 2014 . -rw-rw-r--. 1 unconfined_u:object_r:var_t:s0 hguser repo_users 12K Dec 19 2012 dummy.html
I don’t know much about security contexts and labels and whatever, but the above looks too plain to be correct. Unfortunately, without some kind of error messages logged somewhere, I do not know where to begin.
Finally, I set selinux to permissive, and of course, that “fixed” the issue. Pushes no longer fail. But it is not acceptable to stay in permissive mode. How can I find what the true problem is, correct that, and return to enforcing mode?
FYI, the mercurial hgweb interface is done in python cgi. I will next try grepping and journalctl for python, and see where that gets me.