On 2013-06-25 12:27, Stephen Gallagher wrote:
On 06/25/2013 12:24 PM, Matthew Woehlke wrote:
On 2013-06-25 07:48, Stephen Gallagher wrote:
Yeah, my TODO list includes working up some SELinux rules for
ReviewBoard and getting rb-site to be capable of setting them up during
installation. It's a pretty big task and low on my priority list right
now, unfortunately.

Heh. I'm running with SELinux enabled. I can probably dig up the
relevant *compiled* rules if those are of any use. I think I deleted the
'source' files for them, however. (Yeah, bad decision in retrospect, but
haven't gotten around to trying to recreate them.)

I don't think there are actually very many (maybe four, but at least one
is git specific; probably need additional rules for other VCS's).

If you can figure out what they are, it would be a great start for me.

I don't necessarily just need exception rules, though. We may want to
introduce new SELinux types for rules so we keep things constrained.
(Though since basically everything runs inside apache/mod_wsgi, we're
probably going to end up mostly using apache rules).

By memory and file names... I had to grant httpd (don't recall if that was a user, process, context, ...) access to specific sockets for git, LDAP and postgres. (Unfortunately, all of those are to some degree specific to my setup, e.g. someone else might need none of those, but instead need to grant access to MySQL and SVN.)

I can send you .pp files, but I'm not sure if those are useful to other than a running system, or even on another release of Fedora (I'm on 18, currently).


Want to help the Review Board project? Donate today at 
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to 
For more options, visit this group at 
--- You received this message because you are subscribed to the Google Groups "reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Reply via email to