On 01/04/2013 04:07 AM, p...@talk21.com wrote:
Hi Stephen,

The following AVC denied errors occur:

1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect }
for  pid=1668 comm="httpd" dest=11211
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
profile for httpd doesn't allow TCP connections to port 11211.  This
failure does not prevent reviewboard from working, but is likely to
affect performance.  Should the profile shipped with Fedora be extended
to allow these connections by default?

It's a boolean in the shipped configuration:

setsebool -P httpd_can_network_memcache 1

[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with
these commands:
$ sudo chown -R apache "/var/www/reviewboard/data"
$ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"

Once the permissions are changed, SELinux still prevents write access.

The individual permissions have nothing to do with SELinux. As I said in my other email, you need to make sure these files have the right context set (or install the site into /var/www/html, but I don't recommend that).

2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for
pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0

Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0

I agree it would be difficult for Fedora to predict where a reviewboard
site would be placed.  Would it be possible for "rb-site install" to set
the SELinux security contexts of the files it creates?

I know this is possible from the libsemanage-python package. We could probably rig something up, but it's not going to be a trivial patch. Could you open a bug on the Review Board tracker about this and make sure I'm CCed on it, please? Christian, I'll look into this one since I have a (limited) SELinux background.

It would certainly be nice to have Review Board properly protected by SELinux.

Want to help the Review Board project? Donate today at 
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to 
For more options, visit this group at 

Reply via email to