Hi Stephen,

Bug raised as requested.  I didn't see a place to set the CC field on the 
google/reviewboard bug tracker, so here's the URL so you can "star" it and get 
yourself CCed.

http://code.google.com/p/reviewboard/issues/detail?id=2850

Thanks,
Paul





>________________________________
> From: Stephen Gallagher <step...@gallagherhome.com>
>To: p...@talk21.com 
>Cc: "chip...@chipx86.com" <chip...@chipx86.com>; Christian Hammond 
><chip...@gmail.com>; "reviewboard@googlegroups.com" 
><reviewboard@googlegroups.com> 
>Sent: Monday, 7 January 2013, 19:55
>Subject: Re: Testing 1.7.1 on Fedora 18
> 
>On 01/04/2013 04:07 AM, p...@talk21.com wrote:
>> Hi Stephen,
>>
>> The following AVC denied errors occur:
>>
>> 1) named_connect to port 11211 (memcached)
>> type=AVC msg=audit(1357289094.993:338): avc:  denied  { name_connect }
>> for  pid=1668 comm="httpd" dest=11211
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>>
>> Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
>> profile for httpd doesn't allow TCP connections to port 11211.  This
>> failure does not prevent reviewboard from working, but is likely to
>> affect performance.  Should the profile shipped with Fedora be extended
>> to allow these connections by default?
>>
>
>It's a boolean in the shipped configuration:
>
>setsebool -P httpd_can_network_memcache 1
>
>
>> [Unix permissions]
>> Reviewboard initially detects that write permission is not available and
>> returns a web page instructing the user to grant write permission with
>> these commands:
>> $ sudo chown -R apache "/var/www/reviewboard/data"
>> $ sudo chown -R apache "/var/www/reviewboard/htdocs/media/ext"
>>
>> Once the permissions are changed, SELinux still prevents write access.
>>
>
>The individual permissions have nothing to do with SELinux. As I said in 
>my other email, you need to make sure these files have the right context 
>set (or install the site into /var/www/html, but I don't recommend that).
>
>
>> 2) write to ext directory
>> type=AVC msg=audit(1357289565.991:401): avc:  denied  { write } for
>> pid=1665 comm="httpd" name="ext" dev="dm-1" ino=1896
>> scontext=system_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>>
>> SELinux context is currently:
>> $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>> drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
>> /var/www/reviewboard/htdocs/media/ext/
>>
>> Suggestion from SELinux Trouble shooter fixed this issue:
>> $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
>> $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
>> drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
>> /var/www/reviewboard/htdocs/media/ext/
>>
>> I agree it would be difficult for Fedora to predict where a reviewboard
>> site would be placed.  Would it be possible for "rb-site install" to set
>> the SELinux security contexts of the files it creates?
>>
>
>I know this is possible from the libsemanage-python package. We could 
>probably rig something up, but it's not going to be a trivial patch. 
>Could you open a bug on the Review Board tracker about this and make 
>sure I'm CCed on it, please? Christian, I'll look into this one since I 
>have a (limited) SELinux background.
>
>It would certainly be nice to have Review Board properly protected by 
>SELinux.
>
>
>
>

-- 
Want to help the Review Board project? Donate today at 
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~----------~----~----~----~------~----~------~--~---
To unsubscribe from this group, send email to 
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/reviewboard?hl=en


Reply via email to