Hi Stephen,
The following AVC denied errors occur:
1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for
pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile
for httpd doesn't allow TCP connections to port 11211. This failure does not
prevent reviewboard from working, but is likely to affect performance. Should
the profile shipped with Fedora be extended to allow these connections by
default?
[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with these
commands:
$ sudo chown -R apache "/var/www/reviewboard/data"
$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"
Once the permissions are changed, SELinux still prevents write access.
2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665
comm="httpd" name="ext" dev="dm-1" ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
I agree it would be difficult for Fedora to predict where a reviewboard site
would be placed. Would it be possible for "rb-site install" to set the SELinux
security contexts of the files it creates?
Thanks,
Paul
>________________________________
> From: Stephen Gallagher <step...@gallagherhome.com>
>To: p...@talk21.com
>Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond
><chip...@gmail.com>; "reviewboard@googlegroups.com"
><reviewboard@googlegroups.com>
>Sent: Thursday, 3 January 2013, 18:25
>Subject: Re: Testing 1.7.1 on Fedora 18
>
>On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
>> Hi Stephen,
>>
>> After running rb-site install and visiting the website, I get errors
>> about a couple of directories not being writeable. The web page
>> helpfully suggests a couple of "chmod -R" commands. However on Fedora
>> the SELinux profile for the httpd process prevents writing regardless
>> of unix permissions. I'm not sure if there's anything Fedora can do
>> to make that easier for users, perhaps it's just something to
>> document. The SELinux Troubleshooter correctly indicates how to
>> workaround this issue.
>>
>
>
>We can't really make this easier because we don't have advance knowledge of
>where you're installing the Review Board site. I *think* what you need to do
>is set the following SELinux contexts (with 'chcon -t <context> file' or
>'chcon -R -r <context> directory'):
>
>1) apache-wsgi.conf needs to be httpd_config_t
>2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be
>httpd_sys_content_t
>
>What else did the Troubleshooter say? I'm naming those from memory.
>
>
>
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
