Re: Setting up CVS repository and avoiding Selinux issues?
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I blogged on your email http://danwalsh.livejournal.com/28027.html -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
Daniel B. Thurman wrote, On 04/28/2009 10:07 PM: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. using a non Unix file system on a Unix system for your CVS repo will likely cause much hate and discontent while trying to manage permissions. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs Are you looking to use :pserver: here? Have you considered ssh? and I got selinux complaining that the files are not /cvs rooted. Can you give the ACTUAL error(s) from selinux CVS? So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I am interested, because I maintain CVS repos on older systems that will probably migrate when RHEL 6 comes out, but Dan Walsh's blog site is not accessible. -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
Todd Denniston wrote: Daniel B. Thurman wrote, On 04/28/2009 10:07 PM: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. using a non Unix file system on a Unix system for your CVS repo will likely cause much hate and discontent while trying to manage permissions. Why? Dan Walsh says it's possible. My goal was simply to be able to serve CVS repositories if I decided to reboot under a different OS (Win2K, XP, or Vista w/ cvsnt server) where my common repository resides. That is why I use both ext3 NTFS, serving the common denominator. It works for me for many applications, just that I haven't solved the CVS issue yet. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs Are you looking to use :pserver: here? Have you considered ssh? I am using :pserver:. Just have not yet figured out how to use ssh and make this work for all of the above mentioned OSes, and so pserver seems to work with all of the above OSes. and I got selinux complaining that the files are not /cvs rooted. Can you give the ACTUAL error(s) from selinux CVS? I have the errors from selinux, but was not sure where to find the errors from cvs, as I have no clue where the logs are kept. I looked in /var/log directory and did not find any cvs logs, so if you know, please let me know? I have added Dan's blog to the end of this message, so that you can read what he said. It is interesting to note in DW's blog is that selinux context labels (at least in the CVS case), may be an all or nothing proposition. What if I also wish to have SVN right next to CVS, what are my options? cvs_data_t OR svn_data_t? So does that mean I cannot have both CVS and SVN in a common directory? Ugh. I'll live. ;) I wonder if it is possible to have multiple contexts for a file such as cvs_data_t | svn_data_t which in this case is an OR operation, uh, I am digressing, but still, it seems perhaps we need more selinux flexibility? Anyway, the following is a direct CVS login error, when selinux context are not fully root treed with cvs_data_t and according to DW: # cvs login Logging in to :pserver:d...@gold:2401/cvs CVS password: cvs [login aborted]: unrecognized auth response from gold: cvs pserver: cannot open /cvs/CVSROOT/config: Permission denied [1] It seems, from what I read on DW's blog, that selinux is an all or nothing proposition unless special steps are taken to root mount the middle tree of the tree repository directory as in the case to make the repository seen as rooted even though it actually resides somewhere in the depths of the? = Summary: SELinux is preventing access to files with the default label, default_t. Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label. Allowing Access: If you want a confined domain to use these files you will probably need to relabel the file/directory with chcon. In some cases it is just easier to relabel the system, to relabel execute: touch /.autorelabel; reboot Additional Information: Source Contextunconfined_u:system_r:cvs_t:s0-s0:c0.c1023 Target Contextsystem_u:object_r:default_t:s0 Target Objects/ [ dir ] Sourcecvs Source Path /usr/bin/cvs Port Unknown Host gold.cdkkt.com Source RPM Packages cvs-1.11.22-14.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPMselinux-policy-3.3.1-131.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing ModeEnforcing Plugin Name default Host Name gold.cdkkt.com Platform Linux
Re: Setting up CVS repository and avoiding Selinux issues?
Daniel J Walsh wrote: On 04/28/2009 10:07 PM, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I blogged on your email http://danwalsh.livejournal.com/28027.html Thanks a lot Dan! I will see what I can do to resolve my CVS issues. Please read my posting in reply to Todd Dennison. I was asking myself why the all or nothing proposition, and about using selinux context with more flexibility than what we have? I understand that security prevails over flexibility but I was wondering if there was a way to gain more flexibility and yet still retain security? For example, if multiple context / file was possible, then one could theoretically traverse from the top of the tree to allow passage to the leaf of the tree? Yes I can imagine it is a bit more complexity, but... if security is not compromised, then, perhaps it's worth it? PS: For some reason or another, I am no longer receiving Fedora SeLinux mailing list postings. Is the Fedora SeLinux mailing list still active? Kind regards, Dan -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
On 04/29/2009 11:20 AM, Daniel B. Thurman wrote: Daniel J Walsh wrote: On 04/28/2009 10:07 PM, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I blogged on your email http://danwalsh.livejournal.com/28027.html Thanks a lot Dan! I will see what I can do to resolve my CVS issues. Please read my posting in reply to Todd Dennison. I was asking myself why the all or nothing proposition, and about using selinux context with more flexibility than what we have? I understand that security prevails over flexibility but I was wondering if there was a way to gain more flexibility and yet still retain security? Well I would argue they are very flexible. I did give you a couple of solutions but there are theoretically multiple others. And I am always willing to accept other solutions. svn and git seem to be using http_sys_content_t for their context so I guess we could attempt to allow those domains access to cvs_data? For example, if multiple context / file was possible, then one could theoretically traverse from the top of the tree to allow passage to the leaf of the tree? Yes I can imagine it is a bit more complexity, but... if security is not compromised, then, perhaps it's worth it? I guess maybe we should have had this conversation on the blog. There are many context that most confined services can traverse. For example usr_t, etc_t, var_t I have added a comment to my blog. PS: For some reason or another, I am no longer receiving Fedora SeLinux mailing list postings. Is the Fedora SeLinux mailing list still active? Yes. This list is still available. Last message is 4/28 fron me. :^) Kind regards, Dan -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
Daniel J Walsh wrote: On 04/29/2009 11:20 AM, Daniel B. Thurman wrote: Daniel J Walsh wrote: On 04/28/2009 10:07 PM, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? I blogged on your email http://danwalsh.livejournal.com/28027.html Thanks a lot Dan! I will see what I can do to resolve my CVS issues. Please read my posting in reply to Todd Dennison. I was asking myself why the all or nothing proposition, and about using selinux context with more flexibility than what we have? I understand that security prevails over flexibility but I was wondering if there was a way to gain more flexibility and yet still retain security? Well I would argue they are very flexible. I did give you a couple of solutions but there are theoretically multiple others. And I am always willing to accept other solutions. svn and git seem to be using http_sys_content_t for their context so I guess we could attempt to allow those domains access to cvs_data? For example, if multiple context / file was possible, then one could theoretically traverse from the top of the tree to allow passage to the leaf of the tree? Yes I can imagine it is a bit more complexity, but... if security is not compromised, then, perhaps it's worth it? I guess maybe we should have had this conversation on the blog. There are many context that most confined services can traverse. For example usr_t, etc_t, var_t I have added a comment to my blog. PS: For some reason or another, I am no longer receiving Fedora SeLinux mailing list postings. Is the Fedora SeLinux mailing list still active? Yes. This list is still available. Last message is 4/28 fron me. :^) Kind regards, Dan [Also posted to LiveJournal, but placed here for those who do not have access to or cannot read LJ. ] Hi Dan, I have read your blog and it is quite informative. What I ended up doing is is to: 1) chcon -t cvs_data_t /f-App1 2) chcon -t cvs_data_t /f-App1/Develop 3) chcon -t cvs_data_t /f-App1/Develop/SC 4) chcon -t cvs_data_t /f-App1/Develop/SC/cvs If one uses cvs command: cvs login, it works, and no errors and selinux complaints. However... If one uses an Eclipse or Netbeans IDE, logging into cvs via their interfaces reports an error that the User's home directory is not of proper context: cvs_data_t. So adding in one more step: 5) chcon -t cvs_data_t $HOME/dant Solves the problem. Please note that once the Repository tree is resolved, adding a 6th step: 6) ln -s /f-App1/Develop/SC/cvs /cvs And changing the cvs configuration such that the pathname is chamged to: /cvs (instead of using the actual pathname of the repository) and restarting xinet and resetting the CVSROOT variable, now all works fine. No CVS nor Selinux errors, so far. How about selinux context, what I was proposing was to add the capability to have multiple context. For example, starting with /f-App1 directory, if I wanted to allow cvs and svn access, I would add this context as follows: chcon -default -t default_t /f-App1 chcon -add -t cvs_data_t /f-App1 chcon -add -t svn_data_t /f-App1 So, you should be able to add/append/delete/remove/... commands to manipulate selinux context, unless there is something about how context on the physical drive that does not make this possible? -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
On Tue, 2009-04-28 at 19:07 -0700, Daniel B. Thurman wrote: I am trying to get my CVS repository setup. Apparently, it appears that the repository must be in the root directory, otherwise I get selinux permission denials. What I tried to do initially was to locate the repository on a NTFS filesystem for which the context is fusefs which could not be changed, no matter what I tried. I got selinux permission errors. Giving that up, I moved the repository to a ext3 filesystem located on a separate drive/partition, mounted on /f-App1, where the repository is located @ /f-App1/Develop/cvs, and did: cd /f-App1/Develop/ chown -R cvs:cvs cvs chcon -R -t cvs_data_t cvs find cvs -type d -exec chmod 755 {} \; find cvs -type t -exec chmod 754 {} \; ln -s /f-App1/Develop/cvs /cvs and I got selinux complaining that the files are not /cvs rooted. So I did: cp -a /f-App1/Develop/cvs /cvs1 rm -f /cvs ln -s /cvs1 /cvs And it worked. How can I place my repository in a non-rooted, non-standard repository location and avoid the selinux complaints? if it were me... 1 - I would never consider using NTFS filesystem for any versioning software system for a LOT of reasons 2 - I would probably use git or svn before cvs but hey, it's not me. 3 - I haven't the foggiest notion of what the contexts are for cvs but generally you look at the contexts that they have now that seem to be working, move the files wherever and I think the contexts will follow the files/folders and use commands like chcon and semanage... chcon is temporary, probably a good starting point to test file/folder contexts semanage is permanent, once you have it figured out. I used this... semanage fcontext -a -t clamd_t /var/clamav(/.*)? for clamav because they don't seem to want to fix that package ;-( Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines