I am attaching the result of audit2why.txt. This is great stuff, and 
clarifies potential solutions. Phew!

But doing this on the .rpm or on the installer would be way more helpful. 
Users like me have no knowledge of audit2why or audit2allow.

-Tyler

On Thursday, August 21, 2014 5:12:06 PM UTC-4, Matthew Woehlke wrote:
>
> On 2014-08-21 16:53, Tyler Mace wrote: 
> > I'm eager to get started with Review Board, but it's not working out of 
> the 
> > box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. 
> > 
> > I can only work ReviewBoard if I turn off selinux, i.e. "setenforce 
> off." 
> > We cannot do this on production. 
>
> This is similar to my setup, which is working, and *does* have SELinux 
> in 'enforcing' mode. It was necessary for me to create some additional 
> rules, however. Unfortunately, while I still have those rules installed, 
> I don't have the files from which they were created, which as I 
> understand are necessary to create them on other systems (or e.g. bundle 
> with the .rpm). If you're willing to help work through these issues in 
> order to get it working on your machine, and then contribute back the 
> necessary files so that the rules can be set up automatically with the 
> .rpm, I'm sure that would be greatly appreciated. 
>
> You might also want to look at the audit2why and audit2allow commands. 
> If you get it working, please don't make the mistake I made and delete 
> the rule input files :-), but contribute them back. 
>
> Stephen Gallagher (who usually reads this list, and is the Fedora 
> packager for RB) may also be able to help out. However he seems to have 
> a somewhat erratic schedule, so don't panic if he doesn't jump in right 
> away. 
>
> -- 
> Matthew 
>

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
type=AVC msg=audit(1408653306.680:2131): avc:  denied  { name_connect } for  
pid=17402 comm="httpd" dest=11211 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow httpd to act as a relay

        Allow access by executing:
        # setsebool -P httpd_can_network_relay 1
        Description:
        Allow httpd to connect to memcache server

        Allow access by executing:
        # setsebool -P httpd_can_network_memcache 1
        Description:
        Allow HTTPD scripts and modules to connect to the network using TCP.

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1
type=AVC msg=audit(1408653306.803:2132): avc:  denied  { write } for  pid=17402 
comm="httpd" name="data" dev="dm-8" ino=260102 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

        Was caused by:
        The boolean httpd_unified was set incorrectly. 
        Description:
        Unify HTTPD handling of all content files.

        Allow access by executing:
        # setsebool -P httpd_unified 1
type=AVC msg=audit(1408653306.803:2133): avc:  denied  { write } for  pid=17402 
comm="httpd" name="data" dev="dm-8" ino=260102 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

        Was caused by:
        The boolean httpd_unified was set incorrectly. 
        Description:
        Unify HTTPD handling of all content files.

        Allow access by executing:
        # setsebool -P httpd_unified 1
type=AVC msg=audit(1408653306.803:2134): avc:  denied  { write } for  pid=17402 
comm="httpd" name="ext" dev="dm-8" ino=260116 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

        Was caused by:
        The boolean httpd_unified was set incorrectly. 
        Description:
        Unify HTTPD handling of all content files.

        Allow access by executing:
        # setsebool -P httpd_unified 1
type=AVC msg=audit(1408653306.803:2135): avc:  denied  { write } for  pid=17402 
comm="httpd" name="ext" dev="dm-8" ino=260116 
scontext=system_u:system_r:httpd_t:s0 
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir

        Was caused by:
        The boolean httpd_unified was set incorrectly. 
        Description:
        Unify HTTPD handling of all content files.

        Allow access by executing:
        # setsebool -P httpd_unified 1

Reply via email to