Hi Stephen, The following AVC denied errors occur:
1) named_connect to port 11211 (memcached) type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile for httpd doesn't allow TCP connections to port 11211. This failure does not prevent reviewboard from working, but is likely to affect performance. Should the profile shipped with Fedora be extended to allow these connections by default? [Unix permissions] Reviewboard initially detects that write permission is not available and returns a web page instructing the user to grant write permission with these commands: $ sudo chown -R apache "/var/www/reviewboard/data" $ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext" Once the permissions are changed, SELinux still prevents write access. 2) write to ext directory type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir SELinux context is currently: $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ Suggestion from SELinux Trouble shooter fixed this issue: $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ I agree it would be difficult for Fedora to predict where a reviewboard site would be placed. Would it be possible for "rb-site install" to set the SELinux security contexts of the files it creates? Thanks, Paul >________________________________ > From: Stephen Gallagher <step...@gallagherhome.com> >To: p...@talk21.com >Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond ><chip...@gmail.com>; "reviewboard@googlegroups.com" ><reviewboard@googlegroups.com> >Sent: Thursday, 3 January 2013, 18:25 >Subject: Re: Testing 1.7.1 on Fedora 18 > >On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: >> Hi Stephen, >> >> After running rb-site install and visiting the website, I get errors >> about a couple of directories not being writeable. The web page >> helpfully suggests a couple of "chmod -R" commands. However on Fedora >> the SELinux profile for the httpd process prevents writing regardless >> of unix permissions. I'm not sure if there's anything Fedora can do >> to make that easier for users, perhaps it's just something to >> document. The SELinux Troubleshooter correctly indicates how to >> workaround this issue. >> > > >We can't really make this easier because we don't have advance knowledge of >where you're installing the Review Board site. I *think* what you need to do >is set the following SELinux contexts (with 'chcon -t <context> file' or >'chcon -R -r <context> directory'): > >1) apache-wsgi.conf needs to be httpd_config_t >2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be >httpd_sys_content_t > >What else did the Troubleshooter say? I'm naming those from memory. > > > -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~----------~----~----~----~------~----~------~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en