Re: Setting up CVS repository and avoiding Selinux issues?
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
and I got selinux complaining that the files are not /cvs rooted.
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
I blogged on your email
http://danwalsh.livejournal.com/28027.html
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
Daniel B. Thurman wrote, On 04/28/2009 10:07 PM:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
using a non Unix file system on a Unix system for your CVS repo will likely
cause much hate and discontent while trying to manage permissions.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
Are you looking to use :pserver: here? Have you considered ssh?
and I got selinux complaining that the files are not /cvs rooted.
Can you give the ACTUAL error(s) from selinux CVS?
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
I am interested, because I maintain CVS repos on older systems that will
probably migrate when RHEL 6 comes out, but Dan Walsh's blog site is not
accessible.
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
Todd Denniston wrote:
Daniel B. Thurman wrote, On 04/28/2009 10:07 PM:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
using a non Unix file system on a Unix system for your CVS repo will
likely cause much hate and discontent while trying to manage permissions.
Why? Dan Walsh says it's possible. My goal was simply to be able
to serve CVS repositories if I decided to reboot under a different
OS (Win2K, XP, or Vista w/ cvsnt server) where my common
repository resides. That is why I use both ext3 NTFS, serving
the common denominator. It works for me for many applications,
just that I haven't solved the CVS issue yet.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
Are you looking to use :pserver: here? Have you considered ssh?
I am using :pserver:. Just have not yet figured out how to use ssh and
make this work for all of the above mentioned OSes, and so pserver
seems to work with all of the above OSes.
and I got selinux complaining that the files are not /cvs rooted.
Can you give the ACTUAL error(s) from selinux CVS?
I have the errors from selinux, but was not sure where
to find the errors from cvs, as I have no clue where the
logs are kept. I looked in /var/log directory and did not
find any cvs logs, so if you know, please let me know?
I have added Dan's blog to the end of this message, so that
you can read what he said. It is interesting to note in
DW's blog is that selinux context labels (at least in the
CVS case), may be an all or nothing proposition. What
if I also wish to have SVN right next to CVS, what are
my options? cvs_data_t OR svn_data_t? So does that
mean I cannot have both CVS and SVN in a common
directory? Ugh. I'll live. ;)
I wonder if it is possible to have multiple contexts for
a file such as cvs_data_t | svn_data_t which in this
case is an OR operation, uh, I am digressing, but still,
it seems perhaps we need more selinux flexibility?
Anyway, the following is a direct CVS login error, when
selinux context are not fully root treed with cvs_data_t
and according to DW:
# cvs login
Logging in to :pserver:d...@gold:2401/cvs
CVS password:
cvs [login aborted]: unrecognized auth response from gold: cvs pserver:
cannot open /cvs/CVSROOT/config: Permission denied
[1]
It seems, from what I read on DW's blog, that selinux is an
all or nothing proposition unless special steps are taken
to root mount the middle tree of the tree repository
directory as in the case to make the repository seen as rooted even
though it actually
resides somewhere in the depths of the?
=
Summary:
SELinux is preventing access to files with the default label, default_t.
Detailed Description:
SELinux permission checks on files labeled default_t are being denied. These
files/directories have the default label on them. This can indicate a
labeling
problem, especially if the files being referred to are not top level
directories. Any files/directories under standard system directories, /usr,
/var. /dev, /tmp, ..., should not be labeled with the default label. The
default
label is for files/directories which do not have a label on a parent
directory.
So if you create a new directory in / you might legitimately get this label.
Allowing Access:
If you want a confined domain to use these files you will probably need to
relabel the file/directory with chcon. In some cases it is just easier to
relabel the system, to relabel execute: touch /.autorelabel; reboot
Additional Information:
Source Contextunconfined_u:system_r:cvs_t:s0-s0:c0.c1023
Target Contextsystem_u:object_r:default_t:s0
Target Objects/ [ dir ]
Sourcecvs
Source Path /usr/bin/cvs
Port Unknown
Host gold.cdkkt.com
Source RPM Packages cvs-1.11.22-14.fc9
Target RPM Packages filesystem-2.4.13-1.fc9
Policy RPMselinux-policy-3.3.1-131.fc9
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModeEnforcing
Plugin Name default
Host Name gold.cdkkt.com
Platform Linux
Re: Setting up CVS repository and avoiding Selinux issues?
Daniel J Walsh wrote:
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
and I got selinux complaining that the files are not /cvs rooted.
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
I blogged on your email
http://danwalsh.livejournal.com/28027.html
Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the all or nothing
proposition, and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?
For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?
PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?
Kind regards,
Dan
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
On 04/29/2009 11:20 AM, Daniel B. Thurman wrote:
Daniel J Walsh wrote:
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
and I got selinux complaining that the files are not /cvs rooted.
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
I blogged on your email
http://danwalsh.livejournal.com/28027.html
Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the all or nothing
proposition, and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?
Well I would argue they are very flexible. I did give you a couple of
solutions but there are theoretically multiple others.
And I am always willing to accept other solutions.
svn and git seem to be using http_sys_content_t for their context so I
guess we could attempt to allow those domains access to cvs_data?
For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?
I guess maybe we should have had this conversation on the blog. There
are many context that most confined services can traverse. For example
usr_t, etc_t, var_t
I have added a comment to my blog.
PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?
Yes. This list is still available.
Last message is 4/28 fron me. :^)
Kind regards,
Dan
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
Daniel J Walsh wrote:
On 04/29/2009 11:20 AM, Daniel B. Thurman wrote:
Daniel J Walsh wrote:
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
and I got selinux complaining that the files are not /cvs rooted.
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
I blogged on your email
http://danwalsh.livejournal.com/28027.html
Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the all or nothing
proposition, and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?
Well I would argue they are very flexible. I did give you a couple of
solutions but there are theoretically multiple others.
And I am always willing to accept other solutions.
svn and git seem to be using http_sys_content_t for their context so I
guess we could attempt to allow those domains access to cvs_data?
For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?
I guess maybe we should have had this conversation on the blog. There
are many context that most confined services can traverse. For
example usr_t, etc_t, var_t
I have added a comment to my blog.
PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?
Yes. This list is still available.
Last message is 4/28 fron me. :^)
Kind regards,
Dan
[Also posted to LiveJournal, but placed here for those
who do not have access to or cannot read LJ. ]
Hi Dan,
I have read your blog and it is quite informative. What I ended
up doing is is to:
1) chcon -t cvs_data_t /f-App1
2) chcon -t cvs_data_t /f-App1/Develop
3) chcon -t cvs_data_t /f-App1/Develop/SC
4) chcon -t cvs_data_t /f-App1/Develop/SC/cvs
If one uses cvs command: cvs login, it works,
and no errors and selinux complaints. However...
If one uses an Eclipse or Netbeans IDE, logging
into cvs via their interfaces reports an error
that the User's home directory is not of proper
context: cvs_data_t. So adding in one more step:
5) chcon -t cvs_data_t $HOME/dant
Solves the problem.
Please note that once the Repository tree is resolved,
adding a 6th step:
6) ln -s /f-App1/Develop/SC/cvs /cvs
And changing the cvs configuration such that
the pathname is chamged to: /cvs (instead of
using the actual pathname of the repository)
and restarting xinet and resetting the CVSROOT
variable, now all works fine. No CVS nor Selinux
errors, so far.
How about selinux context, what I was proposing
was to add the capability to have multiple context.
For example, starting with /f-App1 directory, if
I wanted to allow cvs and svn access, I would add
this context as follows:
chcon -default -t default_t /f-App1
chcon -add -t cvs_data_t /f-App1
chcon -add -t svn_data_t /f-App1
So, you should be able to add/append/delete/remove/...
commands to manipulate selinux context, unless there
is something about how context on the physical drive
that does not make this possible?
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
Re: Setting up CVS repository and avoiding Selinux issues?
On Tue, 2009-04-28 at 19:07 -0700, Daniel B. Thurman wrote:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
and I got selinux complaining that the files are not /cvs rooted.
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
if it were me...
1 - I would never consider using NTFS filesystem for any versioning
software system for a LOT of reasons
2 - I would probably use git or svn before cvs but hey, it's not me.
3 - I haven't the foggiest notion of what the contexts are for cvs but
generally you look at the contexts that they have now that seem to be
working, move the files wherever and I think the contexts will follow
the files/folders and use commands like chcon and semanage...
chcon is temporary, probably a good starting point to test file/folder
contexts
semanage is permanent, once you have it figured out.
I used this...
semanage fcontext -a -t clamd_t /var/clamav(/.*)?
for clamav because they don't seem to want to fix that package ;-(
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
