Hi Stephen, Another SELinux error I missed:
3) write to data directory Occurs when user tries to login. type=AVC msg=audit(1357290519.860:433): avc: denied { write } for pid=1666 comm="httpd" name="data" dev="dm-1" ino=1884 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir As with the ext directory, this was fixed using the suggestion from SELinux trouble shooter: $ ls -ldZ /var/www/reviewboard/data drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/data $ sudo restorecon -v /var/www/reviewboard/data/ restorecon reset /var/www/reviewboard/data context unconfined_u:object_r:httpd_sys_content_t:s0->unconfined_u:object_r:httpd_sys_rw_content_t:s0 $ ls -ldZ /var/www/reviewboard/data drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/data Fixing the two write denials allows reviewboard to function normally. Regarding memcached, in addition to the SELinux named_connect restriction, the memcached package is not installed. It's not a mandatory dependency of reviewboard, however the rb-site script does configure it by default. Should memcached be required by the F18 reviewboard package? A couple of commands allowed reviewboard to make use of memcached. This was verified by seeing the server cache stats present on the admin dashboard. $ sudo yum install memcached $ sudo systemctl start memcached.service Thanks, Paul >________________________________ > From: "p...@talk21.com" <p...@talk21.com> >To: Stephen Gallagher <step...@gallagherhome.com> >Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond ><chip...@gmail.com>; "reviewboard@googlegroups.com" ><reviewboard@googlegroups.com> >Sent: Friday, 4 January 2013, 9:07 >Subject: Re: Testing 1.7.1 on Fedora 18 > > >Hi Stephen, > >The following AVC denied errors occur: > >1) named_connect to port 11211 (memcached) >type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for >pid=1668 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0 >tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket > >Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile >for httpd doesn't allow TCP connections to port 11211. This failure does not >prevent reviewboard from working, but is likely to affect performance. Should >the profile shipped with Fedora be extended to allow these connections by >default? > > > >[Unix permissions] >Reviewboard initially detects that write permission is not available and >returns a web page instructing the user to grant write permission with these >commands: >$ sudo chown -R apache "/var/www/reviewboard/data" >$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext" > > > >Once the permissions are changed, SELinux still prevents write access. > > > >2) write to ext directory >type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 >comm="httpd" name="ext" dev="dm-1" ino=1896 >scontext=system_u:system_r:httpd_t:s0 >tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > > > >SELinux context is currently: > >$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ >drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 >/var/www/reviewboard/htdocs/media/ext/ > > > >Suggestion from SELinux Trouble shooter fixed this issue: >$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext >$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ >drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 >/var/www/reviewboard/htdocs/media/ext/ > > > >I agree it would be difficult for Fedora to predict where a reviewboard site >would be placed. Would it be possible for "rb-site install" to set the >SELinux security contexts of the files it creates? > > >Thanks, >Paul > > > > >>________________________________ >> From: Stephen Gallagher <step...@gallagherhome.com> >>To: p...@talk21.com >>Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond >><chip...@gmail.com>; "reviewboard@googlegroups.com" >><reviewboard@googlegroups.com> >>Sent: Thursday, 3 January 2013, 18:25 >>Subject: Re: Testing 1.7.1 on Fedora 18 >> >>On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: >>> Hi Stephen, >>> >>> After running rb-site install and visiting the website, I get errors >>> about a couple of directories not being writeable. The web page >>> helpfully suggests a couple of "chmod -R" commands. However on Fedora >>> the SELinux profile for the httpd process prevents writing regardless >>> of unix permissions. I'm not sure if there's anything Fedora can do >>> to make that easier for users, perhaps it's just something to >>> document. The SELinux Troubleshooter correctly indicates how to >>> workaround this issue. >>> >> >> >>We can't really make this easier because we don't have advance knowledge of >>where you're installing the Review Board site. I *think* what you need to do >>is set the following SELinux contexts (with 'chcon -t <context> file' or >>'chcon -R -r <context> directory'): >> >>1) apache-wsgi.conf needs to be httpd_config_t >>2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be >>httpd_sys_content_t >> >>What else did the Troubleshooter say? I'm naming those from memory. >> >> >> > > -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~----------~----~----~----~------~----~------~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en