FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 02-14-2008, 01:23 AM
"Daniel B. Thurman"
 
Default CVS Servers

In one of the Fedora CVS server setup, it says that if the

administrator wants to use a simple pserver remote string

such as:



export CVSROOT='server:<username>@<systemname>:/cvs'



Then one has to:



1) /etc/xinetd.d/cvs:

*** server_args************ = -f --allow-root=/cvs pserver

2) ln -s /var/cvs /cvs



But the problem here is that SELinux has no context for

the symbolic link /cvs, therefore deny's access.



I tried setting context for /cvs by:

1) chcon -t cvs_data_t



No dice.* Does not work.



To see if I can cvs login bypassing Selinux, I tried:

1) setenforce 0

2) cvs login (successfully)

3) setenforce 1



So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?



Thanks-

Dan


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 10:37 AM
Paul Howarth
 
Default CVS Servers

Daniel B. Thurman wrote:

In one of the Fedora CVS server setup, it says that if the
administrator wants to use a simple pserver remote string
such as:

export CVSROOT='server:<username>@<systemname>:/cvs'

Then one has to:

1) /etc/xinetd.d/cvs:
server_args = -f --allow-root=/cvs pserver
2) ln -s /var/cvs /cvs

But the problem here is that SELinux has no context for
the symbolic link /cvs, therefore deny's access.

I tried setting context for /cvs by:
1) chcon -t cvs_data_t

No dice. Does not work.

To see if I can cvs login bypassing Selinux, I tried:
1) setenforce 0
2) cvs login (successfully)
3) setenforce 1

So, what can I do to get SElinux to authorize the /cvs symbolic link
access to /var/cvs?


Maybe try a bind mount instead of a symlink?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 11:30 AM
Stephen Smalley
 
Default CVS Servers

On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:
> In one of the Fedora CVS server setup, it says that if the
> administrator wants to use a simple pserver remote string
> such as:
>
> export CVSROOT='server:<username>@<systemname>:/cvs'
>
> Then one has to:
>
> 1) /etc/xinetd.d/cvs:
> server_args = -f --allow-root=/cvs pserver
> 2) ln -s /var/cvs /cvs
>
> But the problem here is that SELinux has no context for
> the symbolic link /cvs, therefore deny's access.
>
> I tried setting context for /cvs by:
> 1) chcon -t cvs_data_t
>
> No dice. Does not work.
>
> To see if I can cvs login bypassing Selinux, I tried:
> 1) setenforce 0
> 2) cvs login (successfully)
> 3) setenforce 1
>
> So, what can I do to get SElinux to authorize the /cvs symbolic link
> access to /var/cvs?

What avc denial do you get (/sbin/ausearch -i -m AVC)?

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 05:16 PM
"Daniel B. Thurman"
 
Default CVS Servers

On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:


In one of the Fedora CVS server setup, it says that if the

administrator wants to use a simple pserver remote string

such as:



export CVSROOT='server:<username>@<systemname>:/cvs'



Then one has to:



1) /etc/xinetd.d/cvs:

*** server_args************ = -f --allow-root=/cvs pserver

2) ln -s /var/cvs /cvs



But the problem here is that SELinux has no context for

the symbolic link /cvs, therefore deny's access.



I tried setting context for /cvs by:

1) chcon -t cvs_data_t



No dice.* Does not work.



To see if I can cvs login bypassing Selinux, I tried:

1) setenforce 0

2) cvs login (successfully)

3) setenforce 1



So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?



Thanks-

Dan




Apologies to all.* It turns out that my email spam system was blocking me from

receiving email responses I was waiting for!* Geez, I will have to add another

TODO to my list.



To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?"



To Stephen: "/sbin/ausearch -i -m AVC"

type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:* denied* { read } for* pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_ubject_r:default_t:s0 tclass=lnk_file



Thanks for responding!

Dan


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 05:56 PM
Stephen Smalley
 
Default CVS Servers

On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:
>
> On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:
> > In one of the Fedora CVS server setup, it says that if the
> > administrator wants to use a simple pserver remote string
> > such as:
> >
> > export CVSROOT='server:<username>@<systemname>:/cvs'
> >
> > Then one has to:
> >
> > 1) /etc/xinetd.d/cvs:
> > server_args = -f --allow-root=/cvs pserver
> > 2) ln -s /var/cvs /cvs
> >
> > But the problem here is that SELinux has no context for
> > the symbolic link /cvs, therefore deny's access.
> >
> > I tried setting context for /cvs by:
> > 1) chcon -t cvs_data_t
> >
> > No dice. Does not work.
> >
> > To see if I can cvs login bypassing Selinux, I tried:
> > 1) setenforce 0
> > 2) cvs login (successfully)
> > 3) setenforce 1
> >
> > So, what can I do to get SElinux to authorize the /cvs symbolic link
> > access to /var/cvs?
> >
> > Thanks-
> > Dan
>
> Apologies to all. It turns out that my email spam system was blocking
> me from
> receiving email responses I was waiting for! Geez, I will have to add
> another
> TODO to my list.
>
> To Paul: Can you explain what you mean by: "maybe try a bind mount
> instead of a symlink?"
>
> To Stephen: "/sbin/ausearch -i -m AVC"
> type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386
> syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000
> a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root
> gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
> tty=(none) comm=cvs exe=/usr/bin/cvs
> subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)
> type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc: denied
> { read } for pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172
> scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023
> tcontext=system_ubject_r:default_t:s0 tclass=lnk_file

semanage fcontext -a -t cvs_data_t "/cvs"
/sbin/restorecon -v /cvs

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 06:13 PM
"Daniel B. Thurman"
 
Default CVS Servers

On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:




On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:


In one of the Fedora CVS server setup, it says that if the

administrator wants to use a simple pserver remote string

such as:



export CVSROOT='server:<username>@<systemname>:/cvs'



Then one has to:



1) /etc/xinetd.d/cvs:

*** server_args************ = -f --allow-root=/cvs pserver

2) ln -s /var/cvs /cvs



But the problem here is that SELinux has no context for

the symbolic link /cvs, therefore deny's access.



I tried setting context for /cvs by:

1) chcon -t cvs_data_t



No dice.* Does not work.



To see if I can cvs login bypassing Selinux, I tried:

1) setenforce 0

2) cvs login (successfully)

3) setenforce 1



So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?



Thanks-

Dan




Apologies to all.* It turns out that my email spam system was blocking me from

receiving email responses I was waiting for!* Geez, I will have to add another

TODO to my list.



To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?"




I looked it up and understood a bind mount.* Answer is nope!



Bind mount:

========

mount --bind /var/cvs /cvs



ls -ldZ /cvs:

=======

drwxr-xr-x* cvs cvs system_ubject_r:cvs_t:s0****** /cvs

So, the context is right, but still get a Permissions denied.



/sbin/ausearch -i -m AVC

================

type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386 syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null)

type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:* denied* { setattr } for* pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_ubject_r:cvs_t:s0 tclass=dir




To Stephen: "/sbin/ausearch -i -m AVC"

type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:* denied* { read } for* pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_ubject_r:default_t:s0 tclass=lnk_file



Thanks for responding!

Dan





No virus found in this incoming message.

Checked by AVG Free Edition.

Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date: 2/13/2008 8:00 PM








plain text document attachment (ATT00516.txt), "ATT00516.txt"




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 06:19 PM
"Daniel B. Thurman"
 
Default CVS Servers

On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:




On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:




On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:


In one of the Fedora CVS server setup, it says that if the

administrator wants to use a simple pserver remote string

such as:



export CVSROOT='server:<username>@<systemname>:/cvs'



Then one has to:



1) /etc/xinetd.d/cvs:

*** server_args************ = -f --allow-root=/cvs pserver

2) ln -s /var/cvs /cvs



But the problem here is that SELinux has no context for

the symbolic link /cvs, therefore deny's access.



I tried setting context for /cvs by:

1) chcon -t cvs_data_t



No dice.* Does not work.



To see if I can cvs login bypassing Selinux, I tried:

1) setenforce 0

2) cvs login (successfully)

3) setenforce 1



So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?



Thanks-

Dan




Apologies to all.* It turns out that my email spam system was blocking me from

receiving email responses I was waiting for!* Geez, I will have to add another

TODO to my list.



To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?"




I looked it up and understood a bind mount.* Answer is nope!



Bind mount:

========

mount --bind /var/cvs /cvs



ls -ldZ /cvs:

=======

drwxr-xr-x* cvs cvs system_ubject_r:cvs_t:s0****** /cvs

So, the context is right, but still get a Permissions denied.



/sbin/ausearch -i -m AVC

================

type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386 syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null)

type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:* denied* { setattr } for* pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_ubject_r:cvs_t:s0 tclass=dir




Oh rats!* This error above was for something else!* My mistake!!!!



I had to trying logging in at the remote system but failed several times,

but after the 3rd try, I finally got in.* Not sure why the login process

stumbled.



So, It DOES work!





To Stephen: "/sbin/ausearch -i -m AVC"

type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:* denied* { read } for* pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_ubject_r:default_t:s0 tclass=lnk_file



Thanks for responding!

Dan





No virus found in this incoming message.

Checked by AVG Free Edition.

Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date: 2/13/2008 8:00 PM








plain text document attachment (ATT00516.txt), "ATT00516.txt"




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list








No virus found in this incoming message.

Checked by AVG Free Edition.

Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date: 2/13/2008 8:00 PM








plain text document attachment (ATT00538.txt), "ATT00538.txt"




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 06:25 PM
"Daniel B. Thurman"
 
Default CVS Servers

On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote:




On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:




On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:




On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:


In one of the Fedora CVS server setup, it says that if the

administrator wants to use a simple pserver remote string

such as:



export CVSROOT='server:<username>@<systemname>:/cvs'



Then one has to:



1) /etc/xinetd.d/cvs:

*** server_args************ = -f --allow-root=/cvs pserver

2) ln -s /var/cvs /cvs



But the problem here is that SELinux has no context for

the symbolic link /cvs, therefore deny's access.



I tried setting context for /cvs by:

1) chcon -t cvs_data_t



No dice.* Does not work.



To see if I can cvs login bypassing Selinux, I tried:

1) setenforce 0

2) cvs login (successfully)

3) setenforce 1



So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?



Thanks-

Dan




Apologies to all.* It turns out that my email spam system was blocking me from

receiving email responses I was waiting for!* Geez, I will have to add another

TODO to my list.



To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?"




I looked it up and understood a bind mount.* Answer is nope!



Bind mount:

========

mount --bind /var/cvs /cvs



ls -ldZ /cvs:

=======

drwxr-xr-x* cvs cvs system_ubject_r:cvs_t:s0****** /cvs

So, the context is right, but still get a Permissions denied.



/sbin/ausearch -i -m AVC

================

type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386 syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null)

type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:* denied* { setattr } for* pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_ubject_r:cvs_t:s0 tclass=dir




Oh rats!* This error above was for something else!* My mistake!!!!



I had to trying logging in at the remote system but failed several times,

but after the 3rd try, I finally got in.* Not sure why the login process

stumbled.



So, It DOES work!






But I am having a problem with getting Eclipse's SVN to open a single file:



The server reported an error while performing the "cvs status" command.

* HelloWorld: cvs status: failed to create lock directory for `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied

* HelloWorld: cvs status: failed to obtain dir lock in repository `/cvs/Eclipse/C/Examples/HelloWorld'

* HelloWorld: cvs [status aborted]: read lock failed - giving up



Not sure why it is not able to lock this file for checkout/examination.* Any ideas?






To Stephen: "/sbin/ausearch -i -m AVC"

type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:* denied* { read } for* pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_ubject_r:default_t:s0 tclass=lnk_file



Thanks for responding!

Dan





No virus found in this incoming message.

Checked by AVG Free Edition.

Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date: 2/13/2008 8:00 PM








plain text document attachment (ATT00516.txt), "ATT00516.txt"




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list








No virus found in this incoming message.

Checked by AVG Free Edition.

Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date: 2/13/2008 8:00 PM








plain text document attachment (ATT00538.txt), "ATT00538.txt"




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list








No virus found in this incoming message.

Checked by AVG Free Edition.

Version: 7.5.516 / Virus Database: 269.20.4/1277 - Release Date: 2/13/2008 8:00 PM








plain text document attachment (ATT00558.txt), "ATT00558.txt"




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-14-2008, 06:47 PM
"Daniel B. Thurman"
 
Default CVS Servers

On Thu, 2008-02-14 at 11:25 -0800, Daniel B. Thurman wrote:




On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote:




On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:




On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:




On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:


In one of the Fedora CVS server setup, it says that if the

administrator wants to use a simple pserver remote string

such as:



export CVSROOT='server:<username>@<systemname>:/cvs'



Then one has to:



1) /etc/xinetd.d/cvs:

*** server_args************ = -f --allow-root=/cvs pserver

2) ln -s /var/cvs /cvs



But the problem here is that SELinux has no context for

the symbolic link /cvs, therefore deny's access.



I tried setting context for /cvs by:

1) chcon -t cvs_data_t



No dice.* Does not work.



To see if I can cvs login bypassing Selinux, I tried:

1) setenforce 0

2) cvs login (successfully)

3) setenforce 1



So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?



Thanks-

Dan




Apologies to all.* It turns out that my email spam system was blocking me from

receiving email responses I was waiting for!* Geez, I will have to add another

TODO to my list.



To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?"




I looked it up and understood a bind mount.* Answer is nope!



Bind mount:

========






Ok, the issue is solved.* What I did not know is, you need to make sure that when

you create an empty directory, you also need to make sure that the ownership

of that directory is: cvs:cvs before bind mounting.* So:



1) mkdir /cvs

2) chown cvs:cvs /cvs



then



3) mount --bind /var/cvs /cvs



it all works now!






mount --bind /var/cvs /cvs



ls -ldZ /cvs:

=======

drwxr-xr-x* cvs cvs system_ubject_r:cvs_t:s0****** /cvs

So, the context is right, but still get a Permissions denied.



/sbin/ausearch -i -m AVC

================

type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386 syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null)

type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc:* denied* { setattr } for* pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_ubject_r:cvs_t:s0 tclass=dir




Oh rats!* This error above was for something else!* My mistake!!!!



I had to trying logging in at the remote system but failed several times,

but after the 3rd try, I finally got in.* Not sure why the login process

stumbled.



So, It DOES work!






But I am having a problem with getting Eclipse's SVN to open a single file:



The server reported an error while performing the "cvs status" command.

* HelloWorld: cvs status: failed to create lock directory for `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied

* HelloWorld: cvs status: failed to obtain dir lock in repository `/cvs/Eclipse/C/Examples/HelloWorld'

* HelloWorld: cvs [status aborted]: read lock failed - giving up



Not sure why it is not able to lock this file for checkout/examination.* Any ideas?




See note above...







To Stephen: "/sbin/ausearch -i -m AVC"

type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null)

type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:* denied* { read } for* pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_ubject_r:default_t:s0 tclass=lnk_file



Thanks for responding!

Dan







But of course, what about the symlink method?

Is this now a moot issue and can be ignored?





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-15-2008, 12:13 PM
Stephen Smalley
 
Default CVS Servers

On Thu, 2008-02-14 at 11:47 -0800, Daniel B. Thurman wrote:
>
> On Thu, 2008-02-14 at 11:25 -0800, Daniel B. Thurman wrote:
> >
> > On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote:
> > >
> > > On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:
> > > >
> > > > On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:
> > > > >
> > > > > On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:
> > > > > > In one of the Fedora CVS server setup, it says that if the
> > > > > > administrator wants to use a simple pserver remote string
> > > > > > such as:
> > > > > >
> > > > > > export CVSROOT='server:<username>@<systemname>:/cvs'
> > > > > >
> > > > > > Then one has to:
> > > > > >
> > > > > > 1) /etc/xinetd.d/cvs:
> > > > > > server_args = -f --allow-root=/cvs pserver
> > > > > > 2) ln -s /var/cvs /cvs
> > > > > >
> > > > > > But the problem here is that SELinux has no context for
> > > > > > the symbolic link /cvs, therefore deny's access.
> > > > > >
> > > > > > I tried setting context for /cvs by:
> > > > > > 1) chcon -t cvs_data_t
> > > > > >
> > > > > > No dice. Does not work.
> > > > > >
> > > > > > To see if I can cvs login bypassing Selinux, I tried:
> > > > > > 1) setenforce 0
> > > > > > 2) cvs login (successfully)
> > > > > > 3) setenforce 1
> > > > > >
> > > > > > So, what can I do to get SElinux to authorize the /cvs
> > > > > > symbolic link access to /var/cvs?
> > > > > >
> > > > > > Thanks-
> > > > > > Dan
> > > > >
> > > > > Apologies to all. It turns out that my email spam system was
> > > > > blocking me from
> > > > > receiving email responses I was waiting for! Geez, I will
> > > > > have to add another
> > > > > TODO to my list.
> > > > >
> > > > > To Paul: Can you explain what you mean by: "maybe try a bind
> > > > > mount instead of a symlink?"
> > > >
> > > > I looked it up and understood a bind mount. Answer is nope!
> > > >
> > > > Bind mount:
> > > > ========
>
> Ok, the issue is solved. What I did not know is, you need to make
> sure that when
> you create an empty directory, you also need to make sure that the
> ownership
> of that directory is: cvs:cvs before bind mounting. So:
>
> 1) mkdir /cvs
> 2) chown cvs:cvs /cvs
>
> then
>
> 3) mount --bind /var/cvs /cvs
>
> it all works now!
>
> > > > mount --bind /var/cvs /cvs
> > > >
> > > > ls -ldZ /cvs:
> > > > =======
> > > > drwxr-xr-x cvs cvs system_ubject_r:cvs_t:s0 /cvs
> > > > So, the context is right, but still get a Permissions denied.
> > > >
> > > > /sbin/ausearch -i -m AVC
> > > > ================
> > > > type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386
> > > > syscall=fchmodat success=no exit=-13(Permission denied)
> > > > a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862
> > > > pid=20445 auid=dant uid=root gid=root euid=root suid=root
> > > > fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod
> > > > exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0
> > > > key=(null)
> > > > type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc: denied
> > > > { setattr } for pid=20445 comm=chmod name=cvs dev=sdb5
> > > > ino=819450 scontext=system_u:system_r:unconfined_t:s0
> > > > tcontext=system_ubject_r:cvs_t:s0 tclass=dir
> > >
> > > Oh rats! This error above was for something else! My mistake!!!!
> > >
> > > I had to trying logging in at the remote system but failed several
> > > times,
> > > but after the 3rd try, I finally got in. Not sure why the login
> > > process
> > > stumbled.
> > >
> > > So, It DOES work!
> > >
> >
> > But I am having a problem with getting Eclipse's SVN to open a
> > single file:
> >
> > The server reported an error while performing the "cvs status"
> > command.
> > HelloWorld: cvs status: failed to create lock directory for
> > `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied
> > HelloWorld: cvs status: failed to obtain dir lock in repository
> > `/cvs/Eclipse/C/Examples/HelloWorld'
> > HelloWorld: cvs [status aborted]: read lock failed - giving up
> >
> > Not sure why it is not able to lock this file for
> > checkout/examination. Any ideas?
>
> See note above...
>
> > > > > To Stephen: "/sbin/ausearch -i -m AVC"
> > > > > type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) :
> > > > > arch=i386 syscall=open success=no exit=-13(Permission denied)
> > > > > a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427
> > > > > pid=27015 auid=dant uid=root gid=root euid=root suid=root
> > > > > fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs
> > > > > exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023
> > > > > key=(null)
> > > > > type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc:
> > > > > denied { read } for pid=27015 comm=cvs name=cvs dev=sdb5
> > > > > ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023
> > > > > tcontext=system_ubject_r:default_t:s0 tclass=lnk_file
> > > > >
> > > > > Thanks for responding!
> > > > > Dan
>
> But of course, what about the symlink method?
> Is this now a moot issue and can be ignored?

Did you try what I suggested for it?

# semanage fcontext -a -t cvs_data_t /cvs
# /sbin/restorecon -v /cvs

--
Stephen Smalley
National Security Agency

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 05:33 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org