Show Table of Contents
19.4. Configuration Examples
19.4.1. Setting up CVS
This example describes a simple CVS setup and an SELinux configuration which allows remote access. Two hosts are used in this example; a CVS server with a host name of
cvs-srv with an IP address of 192.168.1.1 and a client with a host name of cvs-client and an IP address of 192.168.1.100. Both hosts are on the same subnet (192.168.1.0/24). This is an example only and assumes that the cvs and xinetd packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforced mode.
This example will show that even with full DAC permissions, SELinux can still enforce policy rules based on file labels and only allow access to certain areas that have been specifically labeled for access by CVS.
Note
Steps 1-9 are supposed be performed on the CVS server,
cvs-srv.
- This example requires the cvs and xinetd packages. Confirm that the packages are installed:
[cvs-srv]$
rpm -q cvs xinetdpackage cvs is not installed package xinetd is not installedIf they are not installed, use theyumutility as root to install it:[cvs-srv]#
yum install cvs xinetd - Enter the following command as root to create a group named
CVS:[cvs-srv]#
groupadd CVSThis can by also done by using thesystem-config-usersutility. - Create a user with a user name of
cvsuserand make this user a member of the CVS group. This can be done usingsystem-config-users. - Edit the
/etc/servicesfile and make sure that the CVS server has uncommented entries looking similar to the following:cvspserver 2401/tcp # CVS client/server operations cvspserver 2401/udp # CVS client/server operations
- Create the CVS repository in the root area of the file system. When using SELinux, it is best to have the repository in the root file system so that recursive labels can be given to it without affecting any other subdirectories. For example, as root, create a
/cvs/directory to house the repository:[root@cvs-srv]#
mkdir /cvs - Give full permissions to the
/cvs/directory to all users:[root@cvs-srv]#
chmod -R 777 /cvsWarning
This is an example only and these permissions should not be used in a production system. - Edit the
/etc/xinetd.d/cvsfile and make sure that the CVS section is uncommented and configured to use the/cvs/directory. The file should look similar to:service cvspserver { disable = no port = 2401 socket_type = stream protocol = tcp wait = no user = root passenv = PATH server = /usr/bin/cvs env = HOME=/cvs server_args = -f --allow-root=/cvs pserver # bind = 127.0.0.1 - Start the
xinetddaemon:[cvs-srv]#
systemctl start xinetd.service - Add a rule which allows inbound connections through TCP on port 2401 by using the
system-config-firewallutility. - On the client side, enter the following command as the
cvsuseruser:[cvsuser@cvs-client]$
cvs -d /cvs init - At this point, CVS has been configured but SELinux will still deny logins and file access. To demonstrate this, set the
$CVSROOTvariable oncvs-clientand try to log in remotely. The following step is supposed to be performed oncvs-client:[cvsuser@cvs-client]$
export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs[cvsuser@cvs-client]$ [cvsuser@cvs-client]$cvs loginLogging in to :pserver:cvsuser@192.168.1.1:2401/cvs CVS password: ******** cvs [login aborted]: unrecognized auth response from 192.168.100.1: cvs pserver: cannot open /cvs/CVSROOT/config: Permission deniedSELinux has blocked access. In order to get SELinux to allow this access, the following step is supposed to be performed oncvs-srv: - Change the context of the
/cvs/directory as root in order to recursively label any existing and new data in the/cvs/directory, giving it thecvs_data_ttype:[root@cvs-srv]#
semanage fcontext -a -t cvs_data_t '/cvs(/.*)?'[root@cvs-srv]#restorecon -R -v /cvs - The client,
cvs-clientshould now be able to log in and access all CVS resources in this repository:[cvsuser@cvs-client]$
export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs[cvsuser@cvs-client]$ [cvsuser@cvs-client]$cvs loginLogging in to :pserver:cvsuser@192.168.1.1:2401/cvs CVS password: ******** [cvsuser@cvs-client]$
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.