Re: CVS Servers [SOLVED]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, 2008-02-14 at 11:47 -0800, Daniel B. Thurman wrote:
> 
> On Thu, 2008-02-14 at 11:25 -0800, Daniel B. Thurman wrote:
> > 
> > On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote:
> > > 
> > > On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:
> > > > 
> > > > On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:
> > > > > 
> > > > > On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:
> > > > > > In one of the Fedora CVS server setup, it says that if the
> > > > > > administrator wants to use a simple pserver remote string
> > > > > > such as:
> > > > > > 
> > > > > > export CVSROOT=':pserver:<username>@<systemname>:/cvs'
> > > > > > 
> > > > > > Then one has to:
> > > > > > 
> > > > > > 1) /etc/xinetd.d/cvs:
> > > > > >     server_args             = -f --allow-root=/cvs pserver
> > > > > > 2) ln -s /var/cvs /cvs
> > > > > > 
> > > > > > But the problem here is that SELinux has no context for
> > > > > > the symbolic link /cvs, therefore deny's access.
> > > > > > 
> > > > > > I tried setting context for /cvs by:
> > > > > > 1) chcon -t cvs_data_t
> > > > > > 
> > > > > > No dice.  Does not work.
> > > > > > 
> > > > > > To see if I can cvs login bypassing Selinux, I tried:
> > > > > > 1) setenforce 0
> > > > > > 2) cvs login (successfully)
> > > > > > 3) setenforce 1
> > > > > > 
> > > > > > So, what can I do to get SElinux to authorize the /cvs
> > > > > > symbolic link access to /var/cvs?
> > > > > > 
> > > > > > Thanks-
> > > > > > Dan 
> > > > > 
> > > > > Apologies to all.  It turns out that my email spam system was
> > > > > blocking me from
> > > > > receiving email responses I was waiting for!  Geez, I will
> > > > > have to add another
> > > > > TODO to my list.
> > > > > 
> > > > > To Paul: Can you explain what you mean by: "maybe try a bind
> > > > > mount instead of a symlink?"
> > > > 
> > > > I looked it up and understood a bind mount.  Answer is nope!
> > > > 
> > > > Bind mount:
> > > > ========
> 
> Ok, the issue is solved.  What I did not know is, you need to make
> sure that when
> you create an empty directory, you also need to make sure that the
> ownership
> of that directory is: cvs:cvs before bind mounting.  So:
> 
> 1) mkdir /cvs
> 2) chown cvs:cvs /cvs
> 
> then
> 
> 3) mount --bind /var/cvs /cvs
> 
> it all works now!
> 
> > > > mount --bind /var/cvs /cvs
> > > > 
> > > > ls -ldZ /cvs:
> > > > =======
> > > > drwxr-xr-x  cvs cvs system_u:object_r:cvs_t:s0       /cvs
> > > > So, the context is right, but still get a Permissions denied.
> > > > 
> > > > /sbin/ausearch -i -m AVC
> > > > ================
> > > > type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386
> > > > syscall=fchmodat success=no exit=-13(Permission denied)
> > > > a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862
> > > > pid=20445 auid=dant uid=root gid=root euid=root suid=root
> > > > fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod
> > > > exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0
> > > > key=(null) 
> > > > type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:  denied
> > > > { setattr } for  pid=20445 comm=chmod name=cvs dev=sdb5
> > > > ino=819450 scontext=system_u:system_r:unconfined_t:s0
> > > > tcontext=system_u:object_r:cvs_t:s0 tclass=dir 
> > > 
> > > Oh rats!  This error above was for something else!  My mistake!!!!
> > > 
> > > I had to trying logging in at the remote system but failed several
> > > times,
> > > but after the 3rd try, I finally got in.  Not sure why the login
> > > process
> > > stumbled.
> > > 
> > > So, It DOES work!
> > > 
> > 
> > But I am having a problem with getting Eclipse's SVN to open a
> > single file:
> > 
> > The server reported an error while performing the "cvs status"
> > command.
> >   HelloWorld: cvs status: failed to create lock directory for
> > `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied
> >   HelloWorld: cvs status: failed to obtain dir lock in repository
> > `/cvs/Eclipse/C/Examples/HelloWorld'
> >   HelloWorld: cvs [status aborted]: read lock failed - giving up
> > 
> > Not sure why it is not able to lock this file for
> > checkout/examination.  Any ideas?
> 
> See note above...
> 
> > > > > To Stephen: "/sbin/ausearch -i -m AVC"
> > > > > type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) :
> > > > > arch=i386 syscall=open success=no exit=-13(Permission denied)
> > > > > a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427
> > > > > pid=27015 auid=dant uid=root gid=root euid=root suid=root
> > > > > fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs
> > > > > exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023
> > > > > key=(null) 
> > > > > type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:
> > > > > denied  { read } for  pid=27015 comm=cvs name=cvs dev=sdb5
> > > > > ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023
> > > > > tcontext=system_u:object_r:default_t:s0 tclass=lnk_file 
> > > > > 
> > > > > Thanks for responding!
> > > > > Dan 
> 
> But of course, what about the symlink method?
> Is this now a moot issue and can be ignored?

Did you try what I suggested for it?  

# semanage fcontext -a -t cvs_data_t /cvs
# /sbin/restorecon -v /cvs

-- 
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux