Re: Setting up CVS repository and avoiding Selinux issues?

Daniel J Walsh wrote:
On 04/29/2009 11:20 AM, Daniel B. Thurman wrote:
Daniel J Walsh wrote:
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:


I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.

What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.

Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:

cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs

and I got selinux complaining that the files are not /cvs rooted.

So I did:

cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs

And it worked.

How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?

I blogged on your email

http://danwalsh.livejournal.com/28027.html

Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the "all or nothing
proposition", and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?

Well I would argue they are very flexible. I did give you a couple of solutions but there are theoretically multiple others.

And I am always willing to accept other solutions.

svn and git seem to be using http_sys_content_t for their context so I guess we could attempt to allow those domains access to cvs_data?
For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?

I guess maybe we should have had this conversation on the blog. There are many context that most confined services can traverse. For example usr_t, etc_t, var_t

I have added a comment to my blog.
PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?

Yes. This list is still available.

Last message is 4/28 fron me. :^)

Kind regards,
Dan


[Also posted to LiveJournal, but placed here for those
who do not have access to or cannot read LJ. ]

Hi Dan,

I have read your blog and it is quite informative. What I ended
up doing is is to:

1) chcon -t cvs_data_t /f-App1
2) chcon -t cvs_data_t /f-App1/Develop
3) chcon -t cvs_data_t /f-App1/Develop/SC
4) chcon -t cvs_data_t /f-App1/Develop/SC/cvs

If one uses cvs command: cvs login, it works,
and no errors and selinux complaints. However...

If one uses an Eclipse or Netbeans IDE, logging
into cvs via their interfaces reports an error
that the User's home directory is not of proper
context: cvs_data_t. So adding in one more step:

5) chcon -t cvs_data_t $HOME/dant

Solves the problem.

Please note that once the Repository "tree" is resolved,
adding a 6th step:

6) ln -s /f-App1/Develop/SC/cvs /cvs

And changing the cvs configuration such that
the pathname is chamged to: /cvs (instead of
using the actual pathname of the repository)
and restarting xinet and resetting the CVSROOT
variable, now all works fine. No CVS nor Selinux
errors, so far.

How about selinux context, what I was proposing
was to add the capability to have multiple context.
For example, starting with /f-App1 directory, if
I wanted to allow cvs and svn access, I would add
this context as follows:

chcon -default -t default_t /f-App1
chcon -add -t cvs_data_t /f-App1
chcon -add -t svn_data_t /f-App1

So, you should be able to add/append/delete/remove/...
commands to manipulate selinux context, unless there
is something about how context on the physical drive
that does not make this possible?

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

Relevant Pages

  • Re: Setting up CVS repository and avoiding Selinux issues?
    ... What I tried to do initially was to locate the repository ... I got selinux permission errors. ... using a non Unix file system on a Unix system for your CVS repo will likely cause much hate and discontent while trying to manage permissions. ... One last point, Daniel states that he tried to start put the CVS data repository on an NTFS mount point, but SELinux does not allow the cvs daemon access to the fusefs file system. ...
    (Fedora)
  • Re: Setting up CVS repository and avoiding Selinux issues?
    ... I am trying to get my CVS repository setup. ... I got selinux permission errors. ... prevails over flexibility but I was wondering if there was ...
    (Fedora)
  • Re: Setting up CVS repository and avoiding Selinux issues?
    ... I am trying to get my CVS repository setup. ... I got selinux permission errors. ... Fedora SeLinux mailing list postings. ...
    (Fedora)
  • RE: [F8] SELinux, Apache and Subversion problem.
    ... Instead of putting the repository in the recommended place: ... I have tested to see if SELinux is blocking access by setting ... Does anyone know how to do it - beside recommending that I ... place the svn repository directly into /var/www/svn? ...
    (Fedora)
  • Re: cvs question
    ... I did a cvsup on www & ... you can use anon cvs and something like: ... % setenv CVSROOT:pserver:freebsdanoncvs@anoncvs.FreeBSD.org:/home/ncvs ... CVSROOT is where the repository resides. ...
    (freebsd-questions)