<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.3">
</HEAD>
<BODY>
<BR>
On Thu, 2008-02-14 at 11:25 -0800, Daniel B. Thurman wrote:<BR>
<BLOCKQUOTE TYPE=CITE>
<BR>
<FONT COLOR="#000000">On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote:</FONT><BR>
<BLOCKQUOTE TYPE=CITE>
<BR>
<FONT COLOR="#000000">On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote:</FONT><BR>
<BLOCKQUOTE TYPE=CITE>
<BR>
<FONT COLOR="#000000">On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote:</FONT><BR>
<BLOCKQUOTE TYPE=CITE>
<BR>
<FONT COLOR="#000000">On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote:</FONT><BR>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">In one of the Fedora CVS server setup, it says that if the</FONT><BR>
<FONT COLOR="#000000">administrator wants to use a simple pserver remote string</FONT><BR>
<FONT COLOR="#000000">such as:</FONT><BR>
<BR>
<FONT COLOR="#000000">export CVSROOT=':pserver:<A HREF="mailto:dant@gold"><</A><A HREF="mailto:username@gold">username</A><A HREF="mailto:dant@gold">></A><A HREF="mailto:username@gold">@<systemname></A>:/cvs'</FONT><BR>
<BR>
<FONT COLOR="#000000">Then one has to:</FONT><BR>
<BR>
<FONT COLOR="#000000">1) /etc/xinetd.d/cvs:</FONT><BR>
<FONT COLOR="#000000"> server_args = -f --allow-root=/cvs pserver</FONT><BR>
<FONT COLOR="#000000">2) ln -s /var/cvs /cvs</FONT><BR>
<BR>
<FONT COLOR="#000000">But the problem here is that SELinux has no context for</FONT><BR>
<FONT COLOR="#000000">the symbolic link /cvs, therefore deny's access.</FONT><BR>
<BR>
<FONT COLOR="#000000">I tried setting context for /cvs by:</FONT><BR>
<FONT COLOR="#000000">1) chcon -t cvs_data_t</FONT><BR>
<BR>
<FONT COLOR="#000000">No dice. Does not work.</FONT><BR>
<BR>
<FONT COLOR="#000000">To see if I can cvs login bypassing Selinux, I tried:</FONT><BR>
<FONT COLOR="#000000">1) setenforce 0</FONT><BR>
<FONT COLOR="#000000">2) cvs login (successfully)</FONT><BR>
<FONT COLOR="#000000">3) setenforce 1</FONT><BR>
<BR>
<FONT COLOR="#000000">So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs?</FONT><BR>
<BR>
<FONT COLOR="#000000">Thanks-</FONT><BR>
<FONT COLOR="#000000">Dan </FONT><BR>
</BLOCKQUOTE>
<BR>
<FONT COLOR="#000000">Apologies to all. It turns out that my email spam system was blocking me from</FONT><BR>
<FONT COLOR="#000000">receiving email responses I was waiting for! Geez, I will have to add another</FONT><BR>
<FONT COLOR="#000000">TODO to my list.</FONT><BR>
<BR>
<FONT COLOR="#000000">To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?"</FONT><BR>
</BLOCKQUOTE>
<BR>
<FONT COLOR="#000000">I looked it up and understood a bind mount. Answer is nope!</FONT><BR>
<BR>
<FONT COLOR="#000000">Bind mount:</FONT><BR>
<FONT COLOR="#000000">========</FONT><BR>
</BLOCKQUOTE>
</BLOCKQUOTE>
</BLOCKQUOTE>
<BR>
Ok, the issue is solved. What I did not know is, you need to make sure that when<BR>
you create an empty directory, you also need to make sure that the ownership<BR>
of that directory is: cvs:cvs before bind mounting. So:<BR>
<BR>
1) mkdir /cvs<BR>
2) chown cvs:cvs /cvs<BR>
<BR>
then<BR>
<BR>
3) mount --bind /var/cvs /cvs<BR>
<BR>
it all works now!<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<BLOCKQUOTE TYPE=CITE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">mount --bind /var/cvs /cvs</FONT><BR>
<BR>
<FONT COLOR="#000000">ls -ldZ /cvs:</FONT><BR>
<FONT COLOR="#000000">=======</FONT><BR>
<FONT COLOR="#000000">drwxr-xr-x cvs cvs system_u:object_r:cvs_t:s0 /cvs</FONT><BR>
<FONT COLOR="#000000">So, the context is right, but still get a Permissions denied.</FONT><BR>
<BR>
<FONT COLOR="#000000">/sbin/ausearch -i -m AVC</FONT><BR>
<FONT COLOR="#000000">================</FONT><BR>
<FONT COLOR="#000000">type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386 syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null) </FONT><BR>
<FONT COLOR="#000000">type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc: denied { setattr } for pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:cvs_t:s0 tclass=dir </FONT><BR>
</BLOCKQUOTE>
<BR>
<FONT COLOR="#000000">Oh rats! This error above was for something else! My mistake!!!!</FONT><BR>
<BR>
<FONT COLOR="#000000">I had to trying logging in at the remote system but failed several times,</FONT><BR>
<FONT COLOR="#000000">but after the 3rd try, I finally got in. Not sure why the login process</FONT><BR>
<FONT COLOR="#000000">stumbled.</FONT><BR>
<BR>
<FONT COLOR="#000000">So, It DOES work!</FONT><BR>
<BR>
</BLOCKQUOTE>
<BR>
<FONT COLOR="#000000">But I am having a problem with getting Eclipse's SVN to open a single file:</FONT><BR>
<BR>
<FONT COLOR="#000000">The server reported an error while performing the "cvs status" command.</FONT><BR>
<FONT COLOR="#000000"> HelloWorld: cvs status: failed to create lock directory for `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied</FONT><BR>
<FONT COLOR="#000000"> HelloWorld: cvs status: failed to obtain dir lock in repository `/cvs/Eclipse/C/Examples/HelloWorld'</FONT><BR>
<FONT COLOR="#000000"> HelloWorld: cvs [status aborted]: read lock failed - giving up</FONT><BR>
<BR>
<FONT COLOR="#000000">Not sure why it is not able to lock this file for checkout/examination. Any ideas?</FONT><BR>
</BLOCKQUOTE>
<BR>
See note above...<BR>
<BR>
<BLOCKQUOTE TYPE=CITE>
<BLOCKQUOTE TYPE=CITE>
<BLOCKQUOTE TYPE=CITE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">To Stephen: "/sbin/ausearch -i -m AVC"</FONT><BR>
<FONT COLOR="#000000">type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null) </FONT><BR>
<FONT COLOR="#000000">type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc: denied { read } for pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file </FONT><BR>
<BR>
<FONT COLOR="#000000">Thanks for responding!</FONT><BR>
<FONT COLOR="#000000">Dan </FONT><BR>
</BLOCKQUOTE>
</BLOCKQUOTE>
</BLOCKQUOTE>
</BLOCKQUOTE>
<BR>
But of course, what about the symlink method?<BR>
Is this now a moot issue and can be ignored?<BR>
<BR>
</BODY>
</HTML>