On Mon, Oct 10, 2016 at 6:57 PM, Josh Berkus <j...@agliodbs.com> wrote:
> On 10/10/2016 03:36 AM, Magnus Hagander wrote: > > > > > > On Mon, Oct 10, 2016 at 2:26 AM, Josh Berkus <j...@agliodbs.com > > <mailto:j...@agliodbs.com>> wrote: > > > > On 10/09/2016 04:36 PM, Josh Berkus wrote: > > > I'll confirm here that the Web version doesn't work either from the > > > Fedora packages. In the case of the web version, this appears to > be > > > because of confusion between Python2 and Python3 dependencies. > > > > Leaving out the SQLite bug (see other thread), here's the issues with > > the Fedora24 packages: > > > > 1. if the user intends to use pgadmin4-web with httpd, then the user > > needs to install httpd and python3-mod_wsgi packages (or mod_wsgi on > > CentOS and RHEL). > > > > 2. the packages need to create the directory > /usr/share/httpd/.pgadmin, > > and add the SELinux label so that apache can write to it: > > > chcon -R -t httpd_sys_rw_content_t /usr/share/httpd/.pgadmin > > > > The latter is going to be hard to do if you want the pgadmin4 app to > > continue to be independant of httpd (for example, to allow install > with > > nginx). > > > > > > Wouldn't it be better to make it put the files somewhere under > > /var/lib/pgadmin? Seems like a more reasonable location for server-side > > pgadmin. And upstream might want to make that "easily modifiable by > > packagers" so it can be adapter to whatever distro it's being packaged > > on? Surely it's wrong to store metadata file in /usr/share... > > .pgadmin dir is getting written to $WEBHOME, which is why it's in > /usr/share/httpd on Fedora. On debian it's presumably in /srv/www/. > Eh, that's definitely not the place on Debian :) That said, it still seems like the wrong place to put the file. I realize why it ends up there. I'm saying it shouldn't be there. /usr/ is supposed to be read-only. > And you'd need the SELinux perms even if it was in /var/lib/, because of > the nologin status of the Apache user. > > Yes, but /var/lib is supposed to be for persistant data modified by programs. That's a reasonable location for it, and thus it's reasonable to unlock it with selinux policy. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/
