Hi Stephen,
Another SELinux error I missed:
3) write to data directory
Occurs when user tries to login.
type=AVC msg=audit(1357290519.860:433): avc: denied { write } for pid=1666
comm="httpd" name="data" dev="dm-1" ino=1884
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
As with the ext directory, this was fixed using the suggestion from SELinux
trouble shooter:
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/data
$ sudo restorecon -v /var/www/reviewboard/data/
restorecon reset /var/www/reviewboard/data context
unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/data
Fixing the two write denials allows reviewboard to function normally.
Regarding memcached, in addition to the SELinux named_connect restriction, the
memcached package is not installed. It's not a mandatory dependency of
reviewboard, however the rb-site script does configure it by default. Should
memcached be required by the F18 reviewboard package?
A couple of commands allowed reviewboard to make use of memcached. This was
verified by seeing the server cache stats present on the admin dashboard.
$ sudo yum install memcached
$ sudo systemctl start memcached.service
Thanks,
Paul
>________________________________
> From: "p...@talk21.com" <p...@talk21.com>
>To: Stephen Gallagher <step...@gallagherhome.com>
>Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond
><chip...@gmail.com>; "reviewboard@googlegroups.com"
><reviewboard@googlegroups.com>
>Sent: Friday, 4 January 2013, 9:07
>Subject: Re: Testing 1.7.1 on Fedora 18
>
>
>Hi Stephen,
>
>The following AVC denied errors occur:
>
>1) named_connect to port 11211 (memcached)
>type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for
>pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0
>tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>
>Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile
>for httpd doesn't allow TCP connections to port 11211. This failure does not
>prevent reviewboard from working, but is likely to affect performance. Should
>the profile shipped with Fedora be extended to allow these connections by
>default?
>
>
>
>[Unix permissions]
>Reviewboard initially detects that write permission is not available and
>returns a web page instructing the user to grant write permission with these
>commands:
>$ sudo chown -R apache "/var/www/reviewboard/data"
>$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"
>
>
>
>Once the permissions are changed, SELinux still prevents write access.
>
>
>
>2) write to ext directory
>type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665
>comm="httpd" name="ext" dev="dm-1" ino=1896
>scontext=system_u:system_r:httpd_t:s0
>tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>
>
>
>SELinux context is currently:
>
>$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
>/var/www/reviewboard/htdocs/media/ext/
>
>
>
>Suggestion from SELinux Trouble shooter fixed this issue:
>$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
>$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
>/var/www/reviewboard/htdocs/media/ext/
>
>
>
>I agree it would be difficult for Fedora to predict where a reviewboard site
>would be placed. Would it be possible for "rb-site install" to set the
>SELinux security contexts of the files it creates?
>
>
>Thanks,
>Paul
>
>
>
>
>>________________________________
>> From: Stephen Gallagher <step...@gallagherhome.com>
>>To: p...@talk21.com
>>Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond
>><chip...@gmail.com>; "reviewboard@googlegroups.com"
>><reviewboard@googlegroups.com>
>>Sent: Thursday, 3 January 2013, 18:25
>>Subject: Re: Testing 1.7.1 on Fedora 18
>>
>>On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
>>> Hi Stephen,
>>>
>>> After running rb-site install and visiting the website, I get errors
>>> about a couple of directories not being writeable.
The web page
>>> helpfully suggests a couple of "chmod -R" commands. However on Fedora
>>> the SELinux profile for the httpd process prevents writing regardless
>>> of unix permissions. I'm not sure if there's anything Fedora can do
>>> to make that easier for users, perhaps it's just something to
>>> document. The SELinux Troubleshooter correctly indicates how to
>>> workaround this issue.
>>>
>>
>>
>>We can't really make this easier because we don't have advance knowledge of
>>where you're installing the Review Board site. I *think* what you need to do
>>is set the following SELinux contexts (with 'chcon -t <context> file' or
>>'chcon -R -r <context> directory'):
>>
>>1) apache-wsgi.conf needs to be httpd_config_t
>>2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be
>>httpd_sys_content_t
>>
>>What else did the Troubleshooter say? I'm naming those from memory.
>>
>>
>>
>
>
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
