1cvs_selinux(8)                SELinux Policy cvs                cvs_selinux(8)
2
3
4

NAME

6       cvs_selinux - Security Enhanced Linux Policy for the cvs processes
7

DESCRIPTION

9       Security-Enhanced  Linux  secures the cvs processes via flexible manda‐
10       tory access control.
11
12       The cvs processes execute with the cvs_t SELinux type. You can check if
13       you  have  these processes running by executing the ps command with the
14       -Z qualifier.
15
16       For example:
17
18       ps -eZ | grep cvs_t
19
20
21

ENTRYPOINTS

23       The cvs_t SELinux type can be entered via the cvs_exec_t file type.
24
25       The default entrypoint paths for the cvs_t domain are the following:
26
27       /usr/bin/cvs
28

PROCESS TYPES

30       SELinux defines process types (domains) for each process running on the
31       system
32
33       You can see the context of a process using the -Z option to ps
34
35       Policy  governs  the  access confined processes have to files.  SELinux
36       cvs policy is very flexible allowing users to setup their cvs processes
37       in as secure a method as possible.
38
39       The following process types are defined for cvs:
40
41       cvs_t, cvs_script_t
42
43       Note: semanage permissive -a cvs_t can be used to make the process type
44       cvs_t permissive. SELinux does not deny access  to  permissive  process
45       types, but the AVC (SELinux denials) messages are still generated.
46
47

BOOLEANS

49       SELinux  policy  is  customizable  based on least access required.  cvs
50       policy is extremely flexible and has several booleans that allow you to
51       manipulate the policy and run cvs with the tightest access possible.
52
53
54
55       If  you  want  to determine whether cvs can read shadow password files,
56       you must turn on the cvs_read_shadow boolean. Disabled by default.
57
58       setsebool -P cvs_read_shadow 1
59
60
61
62       If you want to allow all domains to execute in fips_mode, you must turn
63       on the fips_mode boolean. Enabled by default.
64
65       setsebool -P fips_mode 1
66
67
68

PORT TYPES

70       SELinux defines port types to represent TCP and UDP ports.
71
72       You  can  see  the  types associated with a port by using the following
73       command:
74
75       semanage port -l
76
77
78       Policy governs the access  confined  processes  have  to  these  ports.
79       SELinux  cvs  policy is very flexible allowing users to setup their cvs
80       processes in as secure a method as possible.
81
82       The following port types are defined for cvs:
83
84
85       cvs_port_t
86
87
88
89       Default Defined Ports:
90                 tcp 2401
91                 udp 2401
92

MANAGED FILES

94       The SELinux process type cvs_t can manage files labeled with  the  fol‐
95       lowing  file  types.   The paths listed are the default paths for these
96       file types.  Note the processes UID still need to have DAC permissions.
97
98       cluster_conf_t
99
100            /etc/cluster(/.*)?
101
102       cluster_var_lib_t
103
104            /var/lib/pcsd(/.*)?
105            /var/lib/cluster(/.*)?
106            /var/lib/openais(/.*)?
107            /var/lib/pengine(/.*)?
108            /var/lib/corosync(/.*)?
109            /usr/lib/heartbeat(/.*)?
110            /var/lib/heartbeat(/.*)?
111            /var/lib/pacemaker(/.*)?
112
113       cluster_var_run_t
114
115            /var/run/crm(/.*)?
116            /var/run/cman_.*
117            /var/run/rsctmp(/.*)?
118            /var/run/aisexec.*
119            /var/run/heartbeat(/.*)?
120            /var/run/pcsd-ruby.socket
121            /var/run/corosync-qnetd(/.*)?
122            /var/run/corosync-qdevice(/.*)?
123            /var/run/corosync.pid
124            /var/run/cpglockd.pid
125            /var/run/rgmanager.pid
126            /var/run/cluster/rgmanager.sk
127
128       cvs_data_t
129
130            /opt/cvs(/.*)?
131            /var/cvs(/.*)?
132
133       cvs_tmp_t
134
135
136       cvs_var_run_t
137
138            /var/run/cvs.pid
139
140       faillog_t
141
142            /var/log/btmp.*
143            /var/log/faillog.*
144            /var/log/tallylog.*
145            /var/run/faillock(/.*)?
146
147       krb5_host_rcache_t
148
149            /var/tmp/krb5_0.rcache2
150            /var/cache/krb5rcache(/.*)?
151            /var/tmp/nfs_0
152            /var/tmp/DNS_25
153            /var/tmp/host_0
154            /var/tmp/imap_0
155            /var/tmp/HTTP_23
156            /var/tmp/HTTP_48
157            /var/tmp/ldap_55
158            /var/tmp/ldap_487
159            /var/tmp/ldapmap1_0
160
161       root_t
162
163            /sysroot/ostree/deploy/.*-atomic/deploy(/.*)?
164            /
165            /initrd
166
167

FILE CONTEXTS

169       SELinux requires files to have an extended attribute to define the file
170       type.
171
172       You can see the context of a file using the -Z option to ls
173
174       Policy  governs  the  access  confined  processes  have to these files.
175       SELinux cvs policy is very flexible allowing users to setup  their  cvs
176       processes in as secure a method as possible.
177
178       STANDARD FILE CONTEXT
179
180       SELinux  defines  the  file context types for the cvs, if you wanted to
181       store files with these types in a diffent paths, you  need  to  execute
182       the  semanage  command  to sepecify alternate labeling and then use re‐
183       storecon to put the labels on disk.
184
185       semanage fcontext -a -t cvs_ra_content_t '/srv/mycvs_content(/.*)?'
186       restorecon -R -v /srv/mycvs_content
187
188       Note: SELinux often uses regular expressions  to  specify  labels  that
189       match multiple files.
190
191       The following file types are defined for cvs:
192
193
194
195       cvs_content_t
196
197       - Set files with the cvs_content_t type, if you want to treat the files
198       as cvs content.
199
200
201
202       cvs_data_t
203
204       - Set files with the cvs_data_t type, if you want to treat the files as
205       cvs content.
206
207
208       Paths:
209            /opt/cvs(/.*)?, /var/cvs(/.*)?
210
211
212       cvs_exec_t
213
214       - Set files with the cvs_exec_t type, if you want to transition an exe‐
215       cutable to the cvs_t domain.
216
217
218
219       cvs_home_t
220
221       - Set files with the cvs_home_t type, if you want to store cvs files in
222       the users home directory.
223
224
225       Paths:
226            /root/.cvsignore, /home/[^/]+/.cvsignore
227
228
229       cvs_htaccess_t
230
231       - Set files with the cvs_htaccess_t type, if you want to treat the file
232       as a cvs access file.
233
234
235
236       cvs_initrc_exec_t
237
238       - Set files with the cvs_initrc_exec_t type, if you want to  transition
239       an executable to the cvs_initrc_t domain.
240
241
242
243       cvs_keytab_t
244
245       -  Set files with the cvs_keytab_t type, if you want to treat the files
246       as kerberos keytab files.
247
248
249
250       cvs_ra_content_t
251
252       - Set files with the cvs_ra_content_t type, if you want  to  treat  the
253       files as cvs read/append content.
254
255
256
257       cvs_rw_content_t
258
259       -  Set  files  with the cvs_rw_content_t type, if you want to treat the
260       files as cvs read/write content.
261
262
263
264       cvs_script_exec_t
265
266       - Set files with the cvs_script_exec_t type, if you want to  transition
267       an executable to the cvs_script_t domain.
268
269
270       Paths:
271            /var/www/cgi-bin/cvsweb.cgi, /usr/share/cvsweb/cvsweb.cgi
272
273
274       cvs_tmp_t
275
276       - Set files with the cvs_tmp_t type, if you want to store cvs temporary
277       files in the /tmp directories.
278
279
280
281       cvs_var_run_t
282
283       - Set files with the cvs_var_run_t type, if you want to store  the  cvs
284       files under the /run or /var/run directory.
285
286
287
288       Note:  File context can be temporarily modified with the chcon command.
289       If you want to permanently change the file context you need to use  the
290       semanage fcontext command.  This will modify the SELinux labeling data‐
291       base.  You will need to use restorecon to apply the labels.
292
293

COMMANDS

295       semanage fcontext can also be used to manipulate default  file  context
296       mappings.
297
298       semanage  permissive  can  also  be used to manipulate whether or not a
299       process type is permissive.
300
301       semanage module can also be used to enable/disable/install/remove  pol‐
302       icy modules.
303
304       semanage port can also be used to manipulate the port definitions
305
306       semanage boolean can also be used to manipulate the booleans
307
308
309       system-config-selinux is a GUI tool available to customize SELinux pol‐
310       icy settings.
311
312

AUTHOR

314       This manual page was auto-generated using sepolicy manpage .
315
316

SEE ALSO

318       selinux(8), cvs(8), semanage(8), restorecon(8), chcon(1),  sepolicy(8),
319       setsebool(8), cvs_script_selinux(8), cvs_script_selinux(8)
320
321
322
323cvs                                21-06-09                     cvs_selinux(8)
Impressum