CVS Servers [SOLVED]

Daniel B. Thurman dant at cdkkt.com
Thu Feb 14 19:47:39 UTC 2008 

On Thu, 2008-02-14 at 11:25 -0800, Daniel B. Thurman wrote:

> 
> On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote:
> 
> > 
> > On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:
> > 
> > > 
> > > On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:
> > > 
> > > > 
> > > > On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:
> > > > 
> > > > > In one of the Fedora CVS server setup, it says that if the
> > > > > administrator wants to use a simple pserver remote string
> > > > > such as:
> > > > > 
> > > > > export CVSROOT=':pserver:<username>@<systemname>:/cvs'
> > > > > 
> > > > > Then one has to:
> > > > > 
> > > > > 1) /etc/xinetd.d/cvs:
> > > > >     server_args             = -f --allow-root=/cvs pserver
> > > > > 2) ln -s /var/cvs /cvs
> > > > > 
> > > > > But the problem here is that SELinux has no context for
> > > > > the symbolic link /cvs, therefore deny's access.
> > > > > 
> > > > > I tried setting context for /cvs by:
> > > > > 1) chcon -t cvs_data_t
> > > > > 
> > > > > No dice.  Does not work.
> > > > > 
> > > > > To see if I can cvs login bypassing Selinux, I tried:
> > > > > 1) setenforce 0
> > > > > 2) cvs login (successfully)
> > > > > 3) setenforce 1
> > > > > 
> > > > > So, what can I do to get SElinux to authorize the /cvs
> > > > > symbolic link access to /var/cvs?
> > > > > 
> > > > > Thanks-
> > > > > Dan 
> > > > 
> > > > 
> > > > Apologies to all.  It turns out that my email spam system was
> > > > blocking me from
> > > > receiving email responses I was waiting for!  Geez, I will have
> > > > to add another
> > > > TODO to my list.
> > > > 
> > > > To Paul: Can you explain what you mean by: "maybe try a bind
> > > > mount instead of a symlink?"
> > > 
> > > 
> > > I looked it up and understood a bind mount.  Answer is nope!
> > > 
> > > Bind mount:
> > > ========


Ok, the issue is solved.  What I did not know is, you need to make sure
that when
you create an empty directory, you also need to make sure that the
ownership
of that directory is: cvs:cvs before bind mounting.  So:

1) mkdir /cvs
2) chown cvs:cvs /cvs

then

3) mount --bind /var/cvs /cvs

it all works now!


> > > mount --bind /var/cvs /cvs
> > > 
> > > ls -ldZ /cvs:
> > > =======
> > > drwxr-xr-x  cvs cvs system_u:object_r:cvs_t:s0       /cvs
> > > So, the context is right, but still get a Permissions denied.
> > > 
> > > /sbin/ausearch -i -m AVC
> > > ================
> > > type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386
> > > syscall=fchmodat success=no exit=-13(Permission denied)
> > > a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862
> > > pid=20445 auid=dant uid=root gid=root euid=root suid=root
> > > fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod
> > > exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null) 
> > > type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:  denied
> > > { setattr } for  pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450
> > > scontext=system_u:system_r:unconfined_t:s0
> > > tcontext=system_u:object_r:cvs_t:s0 tclass=dir 
> > 
> > 
> > Oh rats!  This error above was for something else!  My mistake!!!!
> > 
> > I had to trying logging in at the remote system but failed several
> > times,
> > but after the 3rd try, I finally got in.  Not sure why the login
> > process
> > stumbled.
> > 
> > So, It DOES work!
> > 
> 
> 
> But I am having a problem with getting Eclipse's SVN to open a single
> file:
> 
> The server reported an error while performing the "cvs status"
> command.
>   HelloWorld: cvs status: failed to create lock directory for
> `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied
>   HelloWorld: cvs status: failed to obtain dir lock in repository
> `/cvs/Eclipse/C/Examples/HelloWorld'
>   HelloWorld: cvs [status aborted]: read lock failed - giving up
> 
> Not sure why it is not able to lock this file for
> checkout/examination.  Any ideas?


See note above...


> > > > To Stephen: "/sbin/ausearch -i -m AVC"
> > > > type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386
> > > > syscall=open success=no exit=-13(Permission denied) a0=8faf660
> > > > a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant
> > > > uid=root gid=root euid=root suid=root fsuid=root egid=root
> > > > sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs
> > > > subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null) 
> > > > type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:  denied
> > > > { read } for  pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172
> > > > scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023
> > > > tcontext=system_u:object_r:default_t:s0 tclass=lnk_file 
> > > > 
> > > > Thanks for responding!
> > > > Dan 


But of course, what about the symlink method?
Is this now a moot issue and can be ignored?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080214/b50ce1c4/attachment.htm>

More information about the fedora-selinux-list mailing list