CVS Servers

Daniel B. Thurman dant at cdkkt.com
Thu Feb 14 19:13:36 UTC 2008 

On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:

> 
> On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:
> 
> > In one of the Fedora CVS server setup, it says that if the
> > administrator wants to use a simple pserver remote string
> > such as:
> > 
> > export CVSROOT=':pserver:<username>@<systemname>:/cvs'
> > 
> > Then one has to:
> > 
> > 1) /etc/xinetd.d/cvs:
> >     server_args             = -f --allow-root=/cvs pserver
> > 2) ln -s /var/cvs /cvs
> > 
> > But the problem here is that SELinux has no context for
> > the symbolic link /cvs, therefore deny's access.
> > 
> > I tried setting context for /cvs by:
> > 1) chcon -t cvs_data_t
> > 
> > No dice.  Does not work.
> > 
> > To see if I can cvs login bypassing Selinux, I tried:
> > 1) setenforce 0
> > 2) cvs login (successfully)
> > 3) setenforce 1
> > 
> > So, what can I do to get SElinux to authorize the /cvs symbolic link
> > access to /var/cvs?
> > 
> > Thanks-
> > Dan 
> 
> 
> Apologies to all.  It turns out that my email spam system was blocking
> me from
> receiving email responses I was waiting for!  Geez, I will have to add
> another
> TODO to my list.
> 
> To Paul: Can you explain what you mean by: "maybe try a bind mount
> instead of a symlink?"


I looked it up and understood a bind mount.  Answer is nope!

Bind mount:
========
mount --bind /var/cvs /cvs

ls -ldZ /cvs:
=======
drwxr-xr-x  cvs cvs system_u:object_r:cvs_t:s0       /cvs
So, the context is right, but still get a Permissions denied.

/sbin/ausearch -i -m AVC
================
type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386
syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c
a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=pts7 comm=chmod exe=/bin/chmod
subj=system_u:system_r:unconfined_t:s0 key=(null) 
type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:  denied
{ setattr } for  pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450
scontext=system_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:cvs_t:s0 tclass=dir 


> To Stephen: "/sbin/ausearch -i -m AVC"
> type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386
> syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000
> a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) comm=cvs exe=/usr/bin/cvs
> subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null) 
> type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:  denied
> { read } for  pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172
> scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:default_t:s0 tclass=lnk_file 
> 
> Thanks for responding!
> Dan 
> 
> 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date:
> 2/13/2008 8:00 PM
> 
> 
> plain text document attachment (ATT00516.txt), "ATT00516.txt"
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080214/0d7ef1f9/attachment.htm>

More information about the fedora-selinux-list mailing list