[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Setting up CVS repository and avoiding Selinux issues?

On 04/29/2009 11:20 AM, Daniel B. Thurman wrote:
Daniel J Walsh wrote:
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:

I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.

What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.

Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:

cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs

and I got selinux complaining that the files are not /cvs rooted.

So I did:

cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs

And it worked.

How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?

I blogged on your email


Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the "all or nothing
proposition", and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?

Well I would argue they are very flexible. I did give you a couple of solutions but there are theoretically multiple others.

And I am always willing to accept other solutions.

svn and git seem to be using http_sys_content_t for their context so I guess we could attempt to allow those domains access to cvs_data?
For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?

I guess maybe we should have had this conversation on the blog. There are many context that most confined services can traverse. For example usr_t, etc_t, var_t

I have added a comment to my blog.
PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?

Yes.  This list is still available.

Last message is 4/28 fron me.  :^)

Kind regards,

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]