On 04/29/2009 11:20 AM, Daniel B. Thurman wrote:
Daniel J Walsh wrote:
On 04/28/2009 10:07 PM, Daniel B. Thurman wrote:
I am trying to get my CVS repository setup. Apparently,
it appears that the repository must be in the root directory,
otherwise I get selinux permission denials.
What I tried to do initially was to locate the repository
on a NTFS filesystem for which the context is fusefs
which could not be changed, no matter what I tried.
I got selinux permission errors.
Giving that up, I moved the repository to a ext3 filesystem
located on a separate drive/partition, mounted on /f-App1,
where the repository is located @ /f-App1/Develop/cvs, and did:
cd /f-App1/Develop/
chown -R cvs:cvs cvs
chcon -R -t cvs_data_t cvs
find cvs -type d -exec chmod 755 {} \;
find cvs -type t -exec chmod 754 {} \;
ln -s /f-App1/Develop/cvs /cvs
and I got selinux complaining that the files are not /cvs rooted.
So I did:
cp -a /f-App1/Develop/cvs /cvs1
rm -f /cvs
ln -s /cvs1 /cvs
And it worked.
How can I place my repository in a non-rooted, non-standard
repository location and avoid the selinux complaints?
I blogged on your email
http://danwalsh.livejournal.com/28027.html
Thanks a lot Dan! I will see what I can do to resolve
my CVS issues. Please read my posting in reply to Todd
Dennison. I was asking myself why the "all or nothing
proposition", and about using selinux context with more
flexibility than what we have? I understand that security
prevails over flexibility but I was wondering if there was
a way to gain more flexibility and yet still retain security?
Well I would argue they are very flexible. I did give you a couple of
solutions but there are theoretically multiple others.
And I am always willing to accept other solutions.
svn and git seem to be using http_sys_content_t for their context so I
guess we could attempt to allow those domains access to cvs_data?
For example, if multiple context / file was possible, then
one could theoretically traverse from the top of the tree
to allow passage to the leaf of the tree? Yes I can imagine
it is a bit more complexity, but... if security is not compromised,
then, perhaps it's worth it?
I guess maybe we should have had this conversation on the blog. There
are many context that most confined services can traverse. For example
usr_t, etc_t, var_t
I have added a comment to my blog.
PS: For some reason or another, I am no longer receiving
Fedora SeLinux mailing list postings. Is the Fedora SeLinux
mailing list still active?
Yes. This list is still available.
Last message is 4/28 fron me. :^)
Kind regards,
Dan
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines