If we can do anything intelligent in rb-site to handle this, I'll happily take a patch for it. It'd have to be conditional on SELinux actually being on there, though.
Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Fri, Jan 4, 2013 at 1:07 AM, <p...@talk21.com> wrote: > Hi Stephen, > > The following AVC denied errors occur: > > 1) named_connect to port 11211 (memcached) > type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } > for pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0 > tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket > > Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux > profile for httpd doesn't allow TCP connections to port 11211. This > failure does not prevent reviewboard from working, but is likely to affect > performance. Should the profile shipped with Fedora be extended to allow > these connections by default? > > [Unix permissions] > Reviewboard initially detects that write permission is not available and > returns a web page instructing the user to grant write permission with > these commands: > $ sudo chown -R apache "/var/www/reviewboard/data" > $ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext" > > Once the permissions are changed, SELinux still prevents write access. > > 2) write to ext directory > type=AVC msg=audit(1357289565.991:401): avc: denied { write } for > pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896 > scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > > SELinux context is currently: > $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ > drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 > /var/www/reviewboard/htdocs/media/ext/ > > Suggestion from SELinux Trouble shooter fixed this issue: > $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext > $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ > drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 > /var/www/reviewboard/htdocs/media/ext/ > > I agree it would be difficult for Fedora to predict where a reviewboard > site would be placed. Would it be possible for "rb-site install" to set > the SELinux security contexts of the files it creates? > > Thanks, > Paul > > ------------------------------ > *From:* Stephen Gallagher <step...@gallagherhome.com> > *To:* p...@talk21.com > *Cc:* "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond < > chip...@gmail.com>; "reviewboard@googlegroups.com" < > reviewboard@googlegroups.com> > *Sent:* Thursday, 3 January 2013, 18:25 > > *Subject:* Re: Testing 1.7.1 on Fedora 18 > > On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: > > Hi Stephen, > > > > After running rb-site install and visiting the website, I get errors > > about a couple of directories not being writeable. The web page > > helpfully suggests a couple of "chmod -R" commands. However on Fedora > > the SELinux profile for the httpd process prevents writing regardless > > of unix permissions. I'm not sure if there's anything Fedora can do > > to make that easier for users, perhaps it's just something to > > document. The SELinux Troubleshooter correctly indicates how to > > workaround this issue. > > > > > We can't really make this easier because we don't have advance knowledge > of where you're installing the Review Board site. I *think* what you need > to do is set the following SELinux contexts (with 'chcon -t <context> file' > or 'chcon -R -r <context> directory'): > > 1) apache-wsgi.conf needs to be httpd_config_t > 2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be > httpd_sys_content_t > > What else did the Troubleshooter say? I'm naming those from memory. > > > -- > Want to help the Review Board project? Donate today at > http://www.reviewboard.org/donate/ > Happy user? Let us know at http://www.reviewboard.org/users/ > -~----------~----~----~----~------~----~------~--~--- > To unsubscribe from this group, send email to > reviewboard+unsubscr...@googlegroups.com > For more options, visit this group at > http://groups.google.com/group/reviewboard?hl=en > > > -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~----------~----~----~----~------~----~------~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en