<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN"> <HTML> <HEAD> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8"> <META NAME="GENERATOR" CONTENT="GtkHTML/3.16.3"> </HEAD> <BODY> On Thu, 2008-02-14 at 11:25 -0800, Daniel B. Thurman wrote: <BLOCKQUOTE TYPE=CITE> On Thu, 2008-02-14 at 11:19 -0800, Daniel B. Thurman wrote: <BLOCKQUOTE TYPE=CITE> On Thu, 2008-02-14 at 11:13 -0800, Daniel B. Thurman wrote: <BLOCKQUOTE TYPE=CITE> On Thu, 2008-02-14 at 10:16 -0800, Daniel B. Thurman wrote: <BLOCKQUOTE TYPE=CITE> On Wed, 2008-02-13 at 18:23 -0800, Daniel B. Thurman wrote: <BLOCKQUOTE TYPE=CITE> In one of the Fedora CVS server setup, it says that if the administrator wants to use a simple pserver remote string such as: export CVSROOT=':pserver:<A HREF="mailto:dant@gold"><</A><A HREF="mailto:username@gold">username</A><A HREF="mailto:dant@gold">></A><A HREF="mailto:username@gold">@<systemname></A>:/cvs' Then one has to: 1) /etc/xinetd.d/cvs: server_args = -f --allow-root=/cvs pserver 2) ln -s /var/cvs /cvs But the problem here is that SELinux has no context for the symbolic link /cvs, therefore deny's access. I tried setting context for /cvs by: 1) chcon -t cvs_data_t No dice. Does not work. To see if I can cvs login bypassing Selinux, I tried: 1) setenforce 0 2) cvs login (successfully) 3) setenforce 1 So, what can I do to get SElinux to authorize the /cvs symbolic link access to /var/cvs? Thanks- Dan </BLOCKQUOTE> Apologies to all. It turns out that my email spam system was blocking me from receiving email responses I was waiting for! Geez, I will have to add another TODO to my list. To Paul: Can you explain what you mean by: "maybe try a bind mount instead of a symlink?" </BLOCKQUOTE> I looked it up and understood a bind mount. Answer is nope! Bind mount: ======== </BLOCKQUOTE> </BLOCKQUOTE> </BLOCKQUOTE> Ok, the issue is solved. What I did not know is, you need to make sure that when you create an empty directory, you also need to make sure that the ownership of that directory is: cvs:cvs before bind mounting. So: 1) mkdir /cvs 2) chown cvs:cvs /cvs then 3) mount --bind /var/cvs /cvs it all works now! <BLOCKQUOTE TYPE=CITE> <BLOCKQUOTE TYPE=CITE> <BLOCKQUOTE TYPE=CITE> mount --bind /var/cvs /cvs ls -ldZ /cvs: ======= drwxr-xr-x cvs cvs system_u:object_r:cvs_t:s0 /cvs So, the context is right, but still get a Permissions denied. /sbin/ausearch -i -m AVC ================ type=SYSCALL msg=audit(02/14/2008 11:08:09.984:7732) : arch=i386 syscall=fchmodat success=no exit=-13(Permission denied) a0=ffffff9c a1=94848d8 a2=1fd a3=94848d8 items=0 ppid=23862 pid=20445 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts7 comm=chmod exe=/bin/chmod subj=system_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(02/14/2008 11:08:09.984:7732) : avc: denied { setattr } for pid=20445 comm=chmod name=cvs dev=sdb5 ino=819450 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:cvs_t:s0 tclass=dir </BLOCKQUOTE> Oh rats! This error above was for something else! My mistake!!!! I had to trying logging in at the remote system but failed several times, but after the 3rd try, I finally got in. Not sure why the login process stumbled. So, It DOES work! </BLOCKQUOTE> But I am having a problem with getting Eclipse's SVN to open a single file: The server reported an error while performing the "cvs status" command. HelloWorld: cvs status: failed to create lock directory for `/cvs/Eclipse/C/Examples/HelloWorld' (/cvs/Eclipse/C/Examples/HelloWorld/#cvs.lock): Permission denied HelloWorld: cvs status: failed to obtain dir lock in repository `/cvs/Eclipse/C/Examples/HelloWorld' HelloWorld: cvs [status aborted]: read lock failed - giving up Not sure why it is not able to lock this file for checkout/examination. Any ideas? </BLOCKQUOTE> See note above... <BLOCKQUOTE TYPE=CITE> <BLOCKQUOTE TYPE=CITE> <BLOCKQUOTE TYPE=CITE> <BLOCKQUOTE TYPE=CITE> To Stephen: "/sbin/ausearch -i -m AVC" type=SYSCALL msg=audit(02/13/2008 19:17:32.484:5097) : arch=i386 syscall=open success=no exit=-13(Permission denied) a0=8faf660 a1=8000 a2=1b6 a3=8fafa58 items=0 ppid=25427 pid=27015 auid=dant uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=cvs exe=/usr/bin/cvs subj=system_u:system_r:cvs_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/13/2008 19:17:32.484:5097) : avc: denied { read } for pid=27015 comm=cvs name=cvs dev=sdb5 ino=49172 scontext=system_u:system_r:cvs_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_t:s0 tclass=lnk_file Thanks for responding! Dan </BLOCKQUOTE> </BLOCKQUOTE> </BLOCKQUOTE> </BLOCKQUOTE> But of course, what about the symlink method? Is this now a moot issue and can be ignored? </BODY> </HTML>