Re: Testing 1.7.1 on Fedora 18

2013-01-16 Thread Stephen Gallagher 
On Wed 16 Jan 2013 08:56:28 AM EST, p...@talk21.com wrote:
> Hi Stephen,
>
> Thanks for working on the reviewboard 1.7 packages for Fedora 18.
>
> Do you have plans for building a reviewboard 1.7 package for the EPEL
> repo?  Currently EPEL contains reviewboard 1.6.15.
>
> http://koji.fedoraproject.org/koji/packageinfo?packageID=9694
> http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/ReviewBoard.html
>
> It's great to trial the latest and greatest on Fedora, but I'd like to
> use RHEL in production.
>
> Thanks,
> Paul
>
> 
> *From:* "p...@talk21.com" 
> *To:* Stephen Gallagher 
> *Cc:* "chip...@chipx86.com" ; Christian
> Hammond ; "reviewboard@googlegroups.com"
> 
> *Sent:* Tuesday, 8 January 2013, 12:42
> *Subject:* Re: Testing 1.7.1 on Fedora 18
>
> Hi Stephen,
>
> Bug raised as requested.  I didn't see a place to set the CC field
> on the google/reviewboard bug tracker, so here's the URL so you
> can "star" it and get yourself CCed.
>
> http://code.google.com/p/reviewboard/issues/detail?id=2850
>
> Thanks,
> Paul
>

Paul, yes I'm planning to get ReviewBoard 1.7 into EPEL 6 at some 
point. I haven't had the time yet (and there are many dependencies in 
EPEL 6 that need to be built first for it to work). It's on my radar, 
but I wouldn't expect to be able to finish it before the end of 
February at this point, given my $DAYJOB schedule right now.

I'm willing to accept comaintainers in Fedora/EPEL if you would like to 
help :)

The primary issues are:
 * Finish porting Node.js to EPEL 6 (this is the Big One and one that 
I'm working on for multiple projects right now)
 * Patch ReviewBoard so that it builds/runs with Django in a 
non-standard install location, since EPEL 6 has both Django (aka 1.3) 
and Django14 (aka 1.4) packages now, since 1.4 is not 
backwards-compatible.
 * Port any remaining Python dependencies to EPEL

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-16 Thread pfee 
Hi Stephen,

Thanks for working on the reviewboard 1.7 packages for Fedora 18.


Do you have plans for building a reviewboard 1.7 package for the EPEL repo?  
Currently EPEL contains reviewboard 1.6.15.

http://koji.fedoraproject.org/koji/packageinfo?packageID=9694
http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/ReviewBoard.html

It's great to trial the latest and greatest on Fedora, but I'd like to use RHEL 
in production.

Thanks,
Paul




>
> From: "p...@talk21.com" 
>To: Stephen Gallagher  
>Cc: "chip...@chipx86.com" ; Christian Hammond 
>; "reviewboard@googlegroups.com" 
> 
>Sent: Tuesday, 8 January 2013, 12:42
>Subject: Re: Testing 1.7.1 on Fedora 18
> 
>
>Hi Stephen,
>
>Bug raised as requested.  I didn't see a place to set the CC field on the 
>google/reviewboard bug tracker, so here's the URL so you can "star" it and get 
>yourself CCed.
>
>http://code.google.com/p/reviewboard/issues/detail?id=2850
>
>Thanks,
>Paul
>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-08 Thread pfee 
Hi Stephen,

Bug raised as requested.  I didn't see a place to set the CC field on the 
google/reviewboard bug tracker, so here's the URL so you can "star" it and get 
yourself CCed.

http://code.google.com/p/reviewboard/issues/detail?id=2850

Thanks,
Paul





>
> From: Stephen Gallagher 
>To: p...@talk21.com 
>Cc: "chip...@chipx86.com" ; Christian Hammond 
>; "reviewboard@googlegroups.com" 
> 
>Sent: Monday, 7 January 2013, 19:55
>Subject: Re: Testing 1.7.1 on Fedora 18
> 
>On 01/04/2013 04:07 AM, p...@talk21.com wrote:
>> Hi Stephen,
>>
>> The following AVC denied errors occur:
>>
>> 1) named_connect to port 11211 (memcached)
>> type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect }
>> for  pid=1668 comm="httpd" dest=11211
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>>
>> Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
>> profile for httpd doesn't allow TCP connections to port 11211.  This
>> failure does not prevent reviewboard from working, but is likely to
>> affect performance.  Should the profile shipped with Fedora be extended
>> to allow these connections by default?
>>
>
>It's a boolean in the shipped configuration:
>
>setsebool -P httpd_can_network_memcache 1
>
>
>> [Unix permissions]
>> Reviewboard initially detects that write permission is not available and
>> returns a web page instructing the user to grant write permission with
>> these commands:
>> $ sudo chown -R apache "/var/www/reviewboard/data"
>> $ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"
>>
>> Once the permissions are changed, SELinux still prevents write access.
>>
>
>The individual permissions have nothing to do with SELinux. As I said in 
>my other email, you need to make sure these files have the right context 
>set (or install the site into /var/www/html, but I don't recommend that).
>
>
>> 2) write to ext directory
>> type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for
>> pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>>
>> SELinux context is currently:
>> $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>> drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
>> /var/www/reviewboard/htdocs/media/ext/
>>
>> Suggestion from SELinux Trouble shooter fixed this issue:
>> $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
>> $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>> drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
>> /var/www/reviewboard/htdocs/media/ext/
>>
>> I agree it would be difficult for Fedora to predict where a reviewboard
>> site would be placed.  Would it be possible for "rb-site install" to set
>> the SELinux security contexts of the files it creates?
>>
>
>I know this is possible from the libsemanage-python package. We could 
>probably rig something up, but it's not going to be a trivial patch. 
>Could you open a bug on the Review Board tracker about this and make 
>sure I'm CCed on it, please? Christian, I'll look into this one since I 
>have a (limited) SELinux background.
>
>It would certainly be nice to have Review Board properly protected by 
>SELinux.
>
>
>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-07 Thread Stephen Gallagher 

On 01/04/2013 04:34 PM, Christian Hammond wrote:

If we can do anything intelligent in rb-site to handle this, I'll
happily take a patch for it. It'd have to be conditional on SELinux
actually being on there, though.



Yeah, the conditional should be easy. libsemanage-python can check 
whether SELinux is supported by the kernel, and as long as it is (even 
if its in permissive mode) we'll be able to set the permissions.


--
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-07 Thread Stephen Gallagher 

On 01/04/2013 04:30 AM, p...@talk21.com wrote:

Hi Stephen,

Another SELinux error I missed:

3) write to data directory
Occurs when user tries to login.
type=AVC msg=audit(1357290519.860:433): avc:  denied  { write } for
pid=1666 comm="httpd" name="data" dev="dm-1" ino=1884
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

As with the ext directory, this was fixed using the suggestion from
SELinux trouble shooter:

$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/data
$ sudo restorecon -v /var/www/reviewboard/data/
restorecon reset /var/www/reviewboard/data context
unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/data



I think this will be corrected when we add the semanage support to rb-site.



Fixing the two write denials allows reviewboard to function normally.

Regarding memcached, in addition to the SELinux named_connect
restriction, the memcached package is not installed.  It's not a
mandatory dependency of reviewboard, however the rb-site script does
configure it by default.  Should memcached be required by the F18
reviewboard package?



This is basically intentional. On Fedora, we don't have the 
Debian/Ubuntu concept of "Recommends:" packages. As a rule, we try to 
install the minimal subset of packages that are needed in order to 
operate. Since ReviewBoard *can* function without memcached installed on 
the local system (it can either connect to a remote memcached server or 
use a local file cache), it's not a hard dependency.


This policy is in place to keep the amount of cruft down on a particular 
system especially if it's being installed somewhere with limited space 
(such as a small VM).


I'm technically already bending this policy by installing the client 
libraries for MySQL, PostgreSQL, SQLite and memcached alongside 
ReviewBoard, but they're all very small and none of those are system 
services that require their own configuration.



A couple of commands allowed reviewboard to make use of memcached.  This
was verified by seeing the server cache stats present on the admin
dashboard.
$ sudo yum install memcached
$ sudo systemctl start memcached.service



Yes, this is the proper way to run memcached. Though as I said, it does 
not need to run on the same machine as Review Board. For example, the 
site we're running in the Fedora Infrastructure is connected to an 
external memcached server (shared with multiple other web apps, but on 
dedicated hardware).


--
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-07 Thread Stephen Gallagher 

On 01/04/2013 04:07 AM, p...@talk21.com wrote:

Hi Stephen,

The following AVC denied errors occur:

1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect }
for  pid=1668 comm="httpd" dest=11211
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
profile for httpd doesn't allow TCP connections to port 11211.  This
failure does not prevent reviewboard from working, but is likely to
affect performance.  Should the profile shipped with Fedora be extended
to allow these connections by default?



It's a boolean in the shipped configuration:

setsebool -P httpd_can_network_memcache 1



[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with
these commands:
$ sudo chown -R apache "/var/www/reviewboard/data"
$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"

Once the permissions are changed, SELinux still prevents write access.



The individual permissions have nothing to do with SELinux. As I said in 
my other email, you need to make sure these files have the right context 
set (or install the site into /var/www/html, but I don't recommend that).




2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for
pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/

Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/

I agree it would be difficult for Fedora to predict where a reviewboard
site would be placed.  Would it be possible for "rb-site install" to set
the SELinux security contexts of the files it creates?



I know this is possible from the libsemanage-python package. We could 
probably rig something up, but it's not going to be a trivial patch. 
Could you open a bug on the Review Board tracker about this and make 
sure I'm CCed on it, please? Christian, I'll look into this one since I 
have a (limited) SELinux background.


It would certainly be nice to have Review Board properly protected by 
SELinux.


--
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-04 Thread Christian Hammond 
If we can do anything intelligent in rb-site to handle this, I'll happily
take a patch for it. It'd have to be conditional on SELinux actually being
on there, though.

Christian

-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com


On Fri, Jan 4, 2013 at 1:07 AM,  wrote:

> Hi Stephen,
>
> The following AVC denied errors occur:
>
> 1) named_connect to port 11211 (memcached)
> type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect }
> for  pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>
> Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
> profile for httpd doesn't allow TCP connections to port 11211.  This
> failure does not prevent reviewboard from working, but is likely to affect
> performance.  Should the profile shipped with Fedora be extended to allow
> these connections by default?
>
> [Unix permissions]
> Reviewboard initially detects that write permission is not available and
> returns a web page instructing the user to grant write permission with
> these commands:
> $ sudo chown -R apache "/var/www/reviewboard/data"
> $ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"
>
> Once the permissions are changed, SELinux still prevents write access.
>
> 2) write to ext directory
> type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for
> pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896
> scontext=system_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>
> SELinux context is currently:
> $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
> drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
> /var/www/reviewboard/htdocs/media/ext/
>
> Suggestion from SELinux Trouble shooter fixed this issue:
> $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
> $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
> drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
> /var/www/reviewboard/htdocs/media/ext/
>
> I agree it would be difficult for Fedora to predict where a reviewboard
> site would be placed.  Would it be possible for "rb-site install" to set
> the SELinux security contexts of the files it creates?
>
> Thanks,
> Paul
>
>   --
> *From:* Stephen Gallagher 
> *To:* p...@talk21.com
> *Cc:* "chip...@chipx86.com" ; Christian Hammond <
> chip...@gmail.com>; "reviewboard@googlegroups.com" <
> reviewboard@googlegroups.com>
> *Sent:* Thursday, 3 January 2013, 18:25
>
> *Subject:* Re: Testing 1.7.1 on Fedora 18
>
> On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
> > Hi Stephen,
> >
> > After running rb-site install and visiting the website, I get errors
> > about a couple of directories not being writeable.  The web page
> > helpfully suggests a couple of "chmod -R" commands.  However on Fedora
> > the SELinux profile for the httpd process prevents writing regardless
> > of unix permissions.  I'm not sure if there's anything Fedora can do
> > to make that easier for users, perhaps it's just something to
> > document.  The SELinux Troubleshooter correctly indicates how to
> > workaround this issue.
> >
>
>
> We can't really make this easier because we don't have advance knowledge
> of where you're installing the Review Board site. I *think* what you need
> to do is set the following SELinux contexts (with 'chcon -t  file'
> or 'chcon -R -r  directory'):
>
> 1) apache-wsgi.conf needs to be httpd_config_t
> 2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be
> httpd_sys_content_t
>
> What else did the Troubleshooter say? I'm naming those from memory.
>
>
>--
> Want to help the Review Board project? Donate today at
> http://www.reviewboard.org/donate/
> Happy user? Let us know at http://www.reviewboard.org/users/
> -~--~~~~--~~--~--~---
> To unsubscribe from this group, send email to
> reviewboard+unsubscr...@googlegroups.com
> For more options, visit this group at
> http://groups.google.com/group/reviewboard?hl=en
>
>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-04 Thread Matthew Woehlke 

On 2013-01-04 04:07, p...@talk21.com wrote:

Hi Stephen,

The following AVC denied errors occur:


You know... just FYI, now that you mention it, I remember I had to tweak 
SELinux on my system... Specifically, I had to allow access to 
postgresql, git and LDAP. (Probably need to do likewise for the 
appropriate database backend, as well as any VCS or authentication 
method in use; those are just the ones I'm using.)


--
Matthew

--
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-04 Thread pfee 
Hi Stephen,

Another SELinux error I missed:


3) write to data directory
Occurs when user tries to login.
type=AVC msg=audit(1357290519.860:433): avc:  denied  { write } for  pid=1666 
comm="httpd" name="data" dev="dm-1" ino=1884 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir


As with the ext directory, this was fixed using the suggestion from SELinux 
trouble shooter:

$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 
/var/www/reviewboard/data
$ sudo restorecon -v /var/www/reviewboard/data/
restorecon reset /var/www/reviewboard/data context 
unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/reviewboard/data


Fixing the two write denials allows reviewboard to function normally.

Regarding memcached, in addition to the SELinux named_connect restriction, the 
memcached package is not installed.  It's not a mandatory dependency of 
reviewboard, however the rb-site script does configure it by default.  Should 
memcached be required by the F18 reviewboard package?

A couple of commands allowed reviewboard to make use of memcached.  This was 
verified by seeing the server cache stats present on the admin dashboard.

$ sudo yum install memcached
$ sudo systemctl start memcached.service


Thanks,
Paul




>
> From: "p...@talk21.com" 
>To: Stephen Gallagher  
>Cc: "chip...@chipx86.com" ; Christian Hammond 
>; "reviewboard@googlegroups.com" 
> 
>Sent: Friday, 4 January 2013, 9:07
>Subject: Re: Testing 1.7.1 on Fedora 18
> 
>
>Hi Stephen,
>
>The following AVC denied errors occur:
>
>1) named_connect to port 11211 (memcached)
>type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect } for  
>pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0 
>tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>
>Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile 
>for httpd doesn't allow TCP connections to port 11211.  This failure does not 
>prevent reviewboard from working, but is likely to affect performance.  Should 
>the profile shipped with Fedora be extended to allow these connections by 
>default?
>
>
>
>[Unix permissions]
>Reviewboard initially detects that write permission is not available and 
>returns a web page instructing the user to grant write permission with these 
>commands:
>$ sudo chown -R apache "/var/www/reviewboard/data"
>$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"
>
>
>
>Once the permissions are changed, SELinux still prevents write access.
>
>
>
>2) write to ext directory
>type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for  pid=1665 
>comm="httpd" name="ext" dev="dm-1" ino=1896 
>scontext=system_u:system_r:httpd_t:s0 
>tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>
>
>
>SELinux context is currently:
>
>$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 
>/var/www/reviewboard/htdocs/media/ext/
>
>
>
>Suggestion from SELinux Trouble shooter fixed this issue:
>$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
>$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 
>/var/www/reviewboard/htdocs/media/ext/
>
>
>
>I agree it would be difficult for Fedora to predict where a reviewboard site 
>would be placed.  Would it be possible for "rb-site install" to set the 
>SELinux security contexts of the files it creates?
>
>
>Thanks,
>Paul
>
>
>
>
>>
>> From: Stephen Gallagher 
>>To: p...@talk21.com 
>>Cc: "chip...@chipx86.com" ; Christian Hammond 
>>; "reviewboard@googlegroups.com" 
>> 
>>Sent: Thursday, 3 January 2013, 18:25
>>Subject: Re: Testing 1.7.1 on Fedora 18
>> 
>>On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
>>> Hi Stephen,
>>> 
>>> After running rb-site install and visiting the website, I get errors
>>> about a couple of directories not being writeable. 
 The web page
>>> helpfully suggests a couple of "chmod -R" commands.  However on Fedora
>>> the SELinux profile for the httpd process prevents writing regardless
>>> of unix permissions.  I'm not sure if there'

Re: Testing 1.7.1 on Fedora 18

2013-01-04 Thread pfee 
Hi Stephen,

The following AVC denied errors occur:

1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect } for  
pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile 
for httpd doesn't allow TCP connections to port 11211.  This failure does not 
prevent reviewboard from working, but is likely to affect performance.  Should 
the profile shipped with Fedora be extended to allow these connections by 
default?


[Unix permissions]
Reviewboard initially detects that write permission is not available and 
returns a web page instructing the user to grant write permission with these 
commands:
$ sudo chown -R apache "/var/www/reviewboard/data"
$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"


Once the permissions are changed, SELinux still prevents write access.


2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for  pid=1665 
comm="httpd" name="ext" dev="dm-1" ino=1896 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir


SELinux context is currently:

$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 
/var/www/reviewboard/htdocs/media/ext/


Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 
/var/www/reviewboard/htdocs/media/ext/


I agree it would be difficult for Fedora to predict where a reviewboard site 
would be placed.  Would it be possible for "rb-site install" to set the SELinux 
security contexts of the files it creates?

Thanks,
Paul




>
> From: Stephen Gallagher 
>To: p...@talk21.com 
>Cc: "chip...@chipx86.com" ; Christian Hammond 
>; "reviewboard@googlegroups.com" 
> 
>Sent: Thursday, 3 January 2013, 18:25
>Subject: Re: Testing 1.7.1 on Fedora 18
> 
>On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
>> Hi Stephen,
>> 
>> After running rb-site install and visiting the website, I get errors
>> about a couple of directories not being writeable.  The web page
>> helpfully suggests a couple of "chmod -R" commands.  However on Fedora
>> the SELinux profile for the httpd process prevents writing regardless
>> of unix permissions.  I'm not sure if there's anything Fedora can do
>> to make that easier for users, perhaps it's just something to
>> document.  The SELinux Troubleshooter correctly indicates how to
>> workaround this issue.
>> 
>
>
>We can't really make this easier because we don't have advance knowledge of 
>where you're installing the Review Board site. I *think* what you need to do 
>is set the following SELinux contexts (with 'chcon -t  file' or 
>'chcon -R -r  directory'):
>
>1) apache-wsgi.conf needs to be httpd_config_t
>2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be 
>httpd_sys_content_t
>
>What else did the Troubleshooter say? I'm naming those from memory.
>
>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-04 Thread pfee 
Bug created as requested: 
http://code.google.com/p/reviewboard/issues/detail?id=2846


Thanks,
Paul




>
> From: Christian Hammond 
>To: p...@talk21.com 
>Cc: "reviewboard@googlegroups.com" ; Stephen 
>Gallagher  
>Sent: Friday, 4 January 2013, 0:27
>Subject: Re: Testing 1.7.1 on Fedora 18
> 
>
>Hi,
>
>
>
>
>On Thu, Jan 3, 2013 at 8:47 AM,  wrote:
>
>Hi Stephen,
>>
>>
>>After running rb-site install and visiting the website, I get errors about a 
>>couple of directories not being writeable.  The web page helpfully suggests a 
>>couple of "chmod -R" commands.  However on Fedora the SELinux profile for the 
>>httpd process prevents writing regardless of unix permissions.  I'm not sure 
>>if there's anything Fedora can do to make that easier for users, perhaps it's 
>>just something to document.  The SELinux Troubleshooter correctly indicates 
>>how to workaround this issue.
>>
>>
>>Hi Christian,
>>
>>With my test site up and running, I had a brief look around.  Here are a few 
>>issues I noticed on the admin pages:
>>
>>
>>On the Admin dashboard, System Information section on left hand side
>>1) Both "Review Emails" and "Email TLS Authentication" are hyperlinks to the 
>>same page.  Should they be different links or would one link would be 
>>sufficient?
>
>
>Yeah, they're just all quick ways of jumping to the setting for the page. The 
>sidebar is meant to be a quick at-a-glance of certain setting values, and 
>clicking on them takes you to the page containing that setting. There's going 
>to be some overlap.
>
>
> 
>2) "Indexed Search" links to "/admin/settings/general", which is the same as 
>the "General" link at the system settings section.  Perhaps this is influence 
>by my install not having PyLucene.  Should "Indexed Search" link to a 
>different page?
>>
>
>
>Nope, same as above.
>
>
> 
>3) General Settings admin page mentions "PyLucene (with JCC) is required to 
>enable search. See the documentation for instructions.".  The documentation 
>link points to 
>http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/ 
>however that serves up a 404 Not Found page.
>
>
>I'll make sure to fix the link for the next release.
>
>
> 
>4) Review Board Activity: Clicking on the four toggle buttons (Reviews, 
>Comments, Review Requests, Changes) affects how much data is plotted.  The 
>graph goes from four datasets down to one.  Deactivating the last toggle greys 
>out the last button, but doesn't remove the last dataset from the graph 
>(tested on Firefox 17, Fedora 17).
>
>
>Would you mind filing a bug on this one? I'll see what we can do about it. 
>Hoping to get some unit tests in place for these widgets in time.
>
>
>Thanks!
>
>
>Christian
>
>
>-- 
>Christian Hammond - chip...@chipx86.com
>Review Board - http://www.reviewboard.org
>VMware, Inc. - http://www.vmware.com
>
>
>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-03 Thread Christian Hammond 
Hi,


On Thu, Jan 3, 2013 at 8:47 AM,  wrote:

> Hi Stephen,
>
> After running rb-site install and visiting the website, I get errors about
> a couple of directories not being writeable.  The web page helpfully
> suggests a couple of "chmod -R" commands.  However on Fedora the SELinux
> profile for the httpd process prevents writing regardless of unix
> permissions.  I'm not sure if there's anything Fedora can do to make that
> easier for users, perhaps it's just something to document.  The SELinux
> Troubleshooter correctly indicates how to workaround this issue.
>
> Hi Christian,
> With my test site up and running, I had a brief look around.  Here are a
> few issues I noticed on the admin pages:
>
> On the Admin dashboard, System Information section on left hand side
> 1) Both "Review Emails" and "Email TLS Authentication" are hyperlinks to
> the same page.  Should they be different links or would one link would be
> sufficient?
>

Yeah, they're just all quick ways of jumping to the setting for the page.
The sidebar is meant to be a quick at-a-glance of certain setting values,
and clicking on them takes you to the page containing that setting. There's
going to be some overlap.



> 2) "Indexed Search" links to "/admin/settings/general", which is the same
> as the "General" link at the system settings section.  Perhaps this is
> influence by my install not having PyLucene.  Should "Indexed Search" link
> to a different page?
>

Nope, same as above.



>  3) General Settings admin page mentions "PyLucene (with JCC) is required
> to enable search. See the 
> documentationfor
>  instructions.".  The documentation link points to
> http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/however
>  that serves up a 404 Not Found page.
>

I'll make sure to fix the link for the next release.



> 4) Review Board Activity: Clicking on the four toggle buttons (Reviews,
> Comments, Review Requests, Changes) affects how much data is plotted.  The
> graph goes from four datasets down to one.  Deactivating the last toggle
> greys out the last button, but doesn't remove the last dataset from the
> graph (tested on Firefox 17, Fedora 17).
>

Would you mind filing a bug on this one? I'll see what we can do about it.
Hoping to get some unit tests in place for these widgets in time.

Thanks!

Christian

-- 
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Re: Testing 1.7.1 on Fedora 18

2013-01-03 Thread Stephen Gallagher 

On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:

Hi Stephen,

After running rb-site install and visiting the website, I get errors
about a couple of directories not being writeable.  The web page
helpfully suggests a couple of "chmod -R" commands.  However on Fedora
the SELinux profile for the httpd process prevents writing regardless
of unix permissions.  I'm not sure if there's anything Fedora can do
to make that easier for users, perhaps it's just something to
document.  The SELinux Troubleshooter correctly indicates how to
workaround this issue.




We can't really make this easier because we don't have advance 
knowledge of where you're installing the Review Board site. I *think* 
what you need to do is set the following SELinux contexts (with 'chcon 
-t  file' or 'chcon -R -r  directory'):


1) apache-wsgi.conf needs to be httpd_config_t
2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to 
be httpd_sys_content_t


What else did the Troubleshooter say? I'm naming those from memory.

--
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en

Testing 1.7.1 on Fedora 18

2013-01-03 Thread pfee 
Hi Stephen,

After running rb-site install and visiting the website, I get errors about a 
couple of directories not being writeable.  The web page helpfully suggests a 
couple of "chmod -R" commands.  However on Fedora the SELinux profile for the 
httpd process prevents writing regardless of unix permissions.  I'm not sure if 
there's anything Fedora can do to make that easier for users, perhaps it's just 
something to document.  The SELinux Troubleshooter correctly indicates how to 
workaround this issue.

Hi Christian,

With my test site up and running, I had a brief look around.  Here are a few 
issues I noticed on the admin pages:

On the Admin dashboard, System Information section on left hand side
1) Both "Review Emails" and "Email TLS Authentication" are hyperlinks to the 
same page.  Should they be different links or would one link would be 
sufficient?
2) "Indexed Search" links to "/admin/settings/general", which is the same as 
the "General" link at the system settings section.  Perhaps this is influence 
by my install not having PyLucene.  Should "Indexed Search" link to a different 
page?

3) General Settings admin page mentions "PyLucene (with JCC) is required to 
enable search. See the documentation for instructions.".  The documentation 
link points to 
http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/ however 
that serves up a 404 Not Found page.
4) Review Board Activity: Clicking on the four toggle buttons (Reviews, 
Comments, Review Requests, Changes) affects how much data is plotted.  The 
graph goes from four datasets down to one.  Deactivating the last toggle greys 
out the last button, but doesn't remove the last dataset from the graph (tested 
on Firefox 17, Fedora 17).

Hope that feedback's useful,
Paul




>
> From: Christian Hammond 
>To: "reviewboard@googlegroups.com"  
>Cc: "reviewboard@googlegroups.com" ; pfee 
>; "chip...@chipx86.com"  
>Sent: Friday, 21 December 2012, 21:24
>Subject: Re: Review Board 1.7.1 released
> 
>
>Hmm, first time anybody has reported this, and that line has been there for 
>years. I'll make sure to fix it, but it'll only affect new installs.
>
>
>Christian
>
>
>On Dec 21, 2012, at 5:37, pfee  wrote:
>
>
>Hi Christian,
>>
>>I think my next issue is with ReviewBoard rather than Fedora.
>>
>>The Apache configuration generated by rb-site includes this line:
>>Options -Indexes FollowSymLinks
>>
>>This mixes options starting with +/- with those without a prefix.  The 
>>documentation for httpd 2.2 warns this can lead to unexpected results 
>>(https://httpd.apache.org/docs/2.2/mod/core.html#options).  However httpd 2.4 
>>is stricter, causing the server to abort 
>>(https://httpd.apache.org/docs/2.4/mod/core.html#options).
>>
>>Fedora 18 uses Apache httpd 2.4.3, hence the httpd config generated by 
>>rb-site will not work.  I adjusted the line as follows, though I'm not sure 
>>if that's appropriate.
>>Options -Indexes +FollowSymLinks
>>
>>Thanks,
>>Paul
>>
>>On Friday, 21 December 2012 13:14:48 UTC, pfee  wrote:
>>Hi Stephen,
>>>
>>>Installing python-docutils got past those popup errors, only to reveal 
>>>similar errors about the lack of "markdown".
>>>
>>>Installing python-markdown fixed this second set of popup errors. rb-site 
>>>now proceeds to create the DB tables and then runs successfully to 
>>>completion.
>>>
>>>Hence that's two dependencies you need, python-docutils and python-markdown.
>>>
>>>Thanks for your help,
>>>Paul
>>>
>>>On Friday, 21 December 2012 12:49:11 UTC, Stephen Gallagher  wrote:
>>>On 12/21/2012 06:18 AM, pfee wrote: 
> Hi Stephen and Christian, 
> 
> Excellent - thanks for your work. 
> 
> I tried this out on F18 beta, yum install worked without issue.  I then 
> issued "rb-site install /var/www/reviewboard". 
> 
> I had adjusted unix permissions so that rb-site could create 
> /var/www/reviewboard. 
> I had setup mysql authorisation, such that the mysql user had all 
> privileges within the "reviewboard" database. 
> 
> However I get a couple of popup dialogs: 
> 1) Unable to execute the manager command 
> evolve: No module named docutils.core 
> 
> 2) Unable to execute the manager command 
> registerscmtools: No module named docutils.core 
> 

This one is a packaging issue. I forgot to add a dependency on 
python-docutils. I'll fix that up in the next version. In the meantime, 
if you 'yum install python-docutils' you should be able to get past this. 




> Probably more importantly, I get this error on the console 
> django.db.utils.DatabaseError: (1146, "Table 'reviewboard.auth_user' 
> doesn't exist") 
> 
> It looks as though rb-site is connecting to mysql, but is not creating 
> any tables. 
> 
> Is "yum install ReviewBoard", followed by "rb-site install" the correct 
> procedure?  Is there a Django step such as "manage.py sync