Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

18.4. Configuration Examples

18.4.1. Setting up CVS
Copy link

This example describes a simple CVS setup and an SELinux configuration which allows remote access. Two hosts are used in this example; a CVS server with a host name of cvs-srv with an IP address of 192.168.1.1 and a client with a host name of cvs-client and an IP address of 192.168.1.100. Both hosts are on the same subnet (192.168.1.0/24). This is an example only and assumes that the cvs and xinetd packages are installed, that the SELinux targeted policy is used, and that SELinux is running in enforced mode.
This example will show that even with full DAC permissions, SELinux can still enforce policy rules based on file labels and only allow access to certain areas that have been specifically labeled for access by CVS.

Note

Steps 1-9 are supposed be performed on the CVS server, cvs-srv.
  1. This example requires the cvs and xinetd packages. Confirm that the packages are installed: 
    [cvs-srv]$ rpm -q cvs xinetd
package cvs is not installed
package xinetd is not installed
    Copy to Clipboard Toggle word wrap
    If they are not installed, use the yum utility as root to install it: 
    [cvs-srv]# yum install cvs xinetd
    Copy to Clipboard Toggle word wrap
  2. Enter the following command as root to create a group named CVS: 
    [cvs-srv]# groupadd CVS
    Copy to Clipboard Toggle word wrap
    This can by also done by using the system-config-users utility.
  3. Create a user with a user name of cvsuser and make this user a member of the CVS group. This can be done using system-config-users.
  4. Edit the /etc/services file and make sure that the CVS server has uncommented entries looking similar to the following: 
    cvspserver	2401/tcp			# CVS client/server operations
cvspserver	2401/udp			# CVS client/server operations
    Copy to Clipboard Toggle word wrap
  5. Create the CVS repository in the root area of the file system. When using SELinux, it is best to have the repository in the root file system so that recursive labels can be given to it without affecting any other subdirectories. For example, as root, create a /cvs/ directory to house the repository: 
    [root@cvs-srv]# mkdir /cvs
    Copy to Clipboard Toggle word wrap
  6. Give full permissions to the /cvs/ directory to all users: 
    [root@cvs-srv]# chmod -R 777 /cvs
    Copy to Clipboard Toggle word wrap

    Warning

    This is an example only and these permissions should not be used in a production system.
  7. Edit the /etc/xinetd.d/cvs file and make sure that the CVS section is uncommented and configured to use the /cvs/ directory. The file should look similar to: 
    service cvspserver
{
	disable	= no
	port			= 2401
	socket_type		= stream
	protocol		= tcp
	wait			= no
	user			= root
	passenv			= PATH
	server			= /usr/bin/cvs
	env			= HOME=/cvs
	server_args		= -f --allow-root=/cvs pserver
#	bind			= 127.0.0.1
    Copy to Clipboard Toggle word wrap
  8. Start the xinetd daemon: 
    [cvs-srv]# systemctl start xinetd.service
    Copy to Clipboard Toggle word wrap
  9. Add a rule which allows inbound connections through TCP on port 2401 by using the system-config-firewall utility.
  10. On the client side, enter the following command as the cvsuser user: 
    [cvsuser@cvs-client]$ cvs -d /cvs init
    Copy to Clipboard Toggle word wrap
  11. At this point, CVS has been configured but SELinux will still deny logins and file access. To demonstrate this, set the $CVSROOT variable on cvs-client and try to log in remotely. The following step is supposed to be performed on cvs-client: 
    [cvsuser@cvs-client]$ export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs
[cvsuser@cvs-client]$
[cvsuser@cvs-client]$ cvs login
Logging in to :pserver:cvsuser@192.168.1.1:2401/cvs
CVS password: ********
cvs [login aborted]: unrecognized auth response from 192.168.100.1: cvs pserver: cannot open /cvs/CVSROOT/config: Permission denied
    Copy to Clipboard Toggle word wrap
    SELinux has blocked access. In order to get SELinux to allow this access, the following step is supposed to be performed on cvs-srv:
  12. Change the context of the /cvs/ directory as root in order to recursively label any existing and new data in the /cvs/ directory, giving it the cvs_data_t type: 
    [root@cvs-srv]# semanage fcontext -a -t cvs_data_t '/cvs(/.*)?'
[root@cvs-srv]# restorecon -R -v /cvs
    Copy to Clipboard Toggle word wrap
  13. The client, cvs-client should now be able to log in and access all CVS resources in this repository: 
    [cvsuser@cvs-client]$ export CVSROOT=:pserver:cvsuser@192.168.1.1:/cvs
[cvsuser@cvs-client]$
[cvsuser@cvs-client]$ cvs login
Logging in to :pserver:cvsuser@192.168.1.1:2401/cvs
CVS password: ********
[cvsuser@cvs-client]$
    Copy to Clipboard Toggle word wrap
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat