SeLinux Setting for Mercurial Web Access

If you use the Mercurial Revision Control System or HG, you may set up a Mercurial CGI Server integrating with a HTTP server, such as the Apache HTTP server so that you can provide read and write access via HTTPS.

The Mercurial official website provides a well-written documentation for this. However, you may run into the 501 Internal Server Error when you try to browse the repository via the Web or encounter the 500 Permission Denied Error when you try to push your local changes to the remote Mercurial repository via the HTTPS protocol. These errors often occur when you have SeLinux enabled.

The following provides a simple script to set up the proper SeLinux context for Mercurial repositories.

Assume the parent directory of all your Mercurial repositories is in the environment variable HG_PARENT_DIR, the Apache HTTP server is run as user belonging to group stored in environment variable HTTP_GROUP, and you wish the user whose username's value in environment variable HG_USER to manage all your Mercurial repositories. You can set up the proper SeLinux context using the following commands on a Linux shell by initially assigning hguser, apache, and /home/hg to environment variables HG_USER, HG_GROUP, and HG_PARENT_DIR.

HG_USER=hguser
HTTP_GROUP=apache
HG_PARENT_DIR=/home/hg
chown -R ${HG_USER}:${HTTP_GROUP} $HG_PARENT_DIR$
chmod -R ug+rw  $HG_PARENT_DIR$
chcon -R -t httpd_content_t $HG_PARENT_DIR$
find $HG_PARENT_DIR$ -name .hg -exec chcon -R -t httpd_sys_content_rw_t {} \;
find $HG_PARENT_DIR$ -name \*.cgi -exec chcon -t httpd_sys_script_exec_t {} \;

The above script does not give the HTTP Web server process any more permissions than necessary, but does give and confine the required permissions to your Mercurial repositories.