On 08/22/2014 09:07 AM, Cian Mc Govern wrote:
> On 22 August 2014 13:50, Stephen Gallagher <step...@gallagherhome.com
> <mailto:step...@gallagherhome.com>> wrote:
> 
>     On 08/22/2014 07:04 AM, Cian Mc Govern wrote:
>     >
>     >     To the professionals who work with Review Board
>     >
>     >     I'm eager to get started with Review Board, but it's not
>     working out
>     >     of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd
>     >     2.4.10.
>     >
>     >     I can only work ReviewBoard if I turn off selinux, i.e.
>     "setenforce
>     >     off." We cannot do this on production.
>     >
>     >     Here are the audit logs associated with accessing review
>     board. Note
>     >     there's more than just httpd in this mix, but also memcached. What
>     >     access rights am I missing?
>     >
>     >     type=AVC msg=audit(1408653306.680:2131): avc:  denied  {
>     >     name_connect } for  pid=17402 comm="httpd" dest=11211
>     >     scontext=system_u:system_r:httpd_t:s0
>     >     tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
>     >     type=SYSCALL msg=audit(1408653306.680:2131): arch=c000003e
>     >     syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10
>     >     a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295
>     >     uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100
>     >     fsgid=100 tty=(none) ses=4294967295 comm="httpd"
>     >     exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>     >     type=PROCTITLE msg=audit(1408653306.680:2131):
>     >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>     >     type=AVC msg=audit(1408653306.803:2132): avc:  denied  { write }
>     >     for  pid=17402 comm="httpd" name="data" dev="dm-8" ino=260102
>     >     scontext=system_u:system_r:httpd_t:s0
>     >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>     >     type=SYSCALL msg=audit(1408653306.803:2132): arch=c000003e
>     >     syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2
>     a2=7f80c6223f88
>     >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
>     >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
>     >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>     >     subj=system_u:system_r:httpd_t:s0 key=(null)
>     >     type=PROCTITLE msg=audit(1408653306.803:2132):
>     >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>     >     type=AVC msg=audit(1408653306.803:2133): avc:  denied  { write }
>     >     for  pid=17402 comm="httpd" name="data" dev="dm-8" ino=260102
>     >     scontext=system_u:system_r:httpd_t:s0
>     >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>     >     type=SYSCALL msg=audit(1408653306.803:2133): arch=c000003e
>     >     syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2
>     a2=7f80c6223f88
>     >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
>     >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
>     >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>     >     subj=system_u:system_r:httpd_t:s0 key=(null)
>     >     type=PROCTITLE msg=audit(1408653306.803:2133):
>     >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>     >     type=AVC msg=audit(1408653306.803:2134): avc:  denied  { write }
>     >     for  pid=17402 comm="httpd" name="ext" dev="dm-8" ino=260116
>     >     scontext=system_u:system_r:httpd_t:s0
>     >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>     >     type=SYSCALL msg=audit(1408653306.803:2134): arch=c000003e
>     >     syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2
>     a2=7f80c6223f88
>     >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
>     >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
>     >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>     >     subj=system_u:system_r:httpd_t:s0 key=(null)
>     >     type=PROCTITLE msg=audit(1408653306.803:2134):
>     >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>     >     type=AVC msg=audit(1408653306.803:2135): avc:  denied  { write }
>     >     for  pid=17402 comm="httpd" name="ext" dev="dm-8" ino=260116
>     >     scontext=system_u:system_r:httpd_t:s0
>     >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
>     >     type=SYSCALL msg=audit(1408653306.803:2135): arch=c000003e
>     >     syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2
>     a2=7f80c6223f88
>     >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
>     >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
>     >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>     >     subj=system_u:system_r:httpd_t:s0 key=(null)
>     >     type=PROCTITLE msg=audit(1408653306.803:2135):
>     >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>     >
>     >     --
>     >     Get the Review Board Power Pack at
>     http://www.reviewboard.org/powerpack/
>     >     ---
>     >     Sign up for Review Board hosting at RBCommons:
>     https://rbcommons.com/
>     >     ---
>     >     Happy user? Let us know at http://www.reviewboard.org/users/
>     >     ---
>     >     You received this message because you are subscribed to the Google
>     >     Groups "reviewboard" group.
>     >     To unsubscribe from this group and stop receiving emails from it,
>     >     send an email to reviewboard+unsubscr...@googlegroups.com
>     <mailto:reviewboard%2bunsubscr...@googlegroups.com>
>     >     <mailto:reviewboard+unsubscr...@googlegroups.com
>     <mailto:reviewboard%2bunsubscr...@googlegroups.com>>.
>     >     For more options, visit https://groups.google.com/d/optout.
>     >
>     >
>     > Here's a couple of selinux changes I had to make to run
>     ReviewBoard on a
>     > Fedora system with selinux enabled:
>     >
>     > "setsebool -P httpd_can_network_connect 1" -> This will fix the denial
>     > "name_connect" in your audit logs which is preventing httpd from
>     > communicating with memcached.
>     >
>     > I had to allow httpd to write to certain ReviewBoard directories so I
>     > needed to change the selinux context for those directories:
>     >
>     > "chcon -t httpd_sys_rw_content_t /var/www/reviewboard/data/"
>     > "chcon -t httpd_sys_rw_content_t
>     /var/www/reviewboard/htdocs/media/ext"
>     > "chcon -t httpd_sys_rw_content_t
>     /var/www/reviewboard/htdocs/static/ext"
>     >
>     > Also, for email notification to work, I needed to run the following to
>     > allow httpd to send emails:
>     >
>     > "setsebool -P httpd_can_sendmail on"
>     >
> 
>     Just the context for those directories, or the recursive set?
> 
>     --
>     Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
>     ---
>     Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
>     ---
>     Happy user? Let us know at http://www.reviewboard.org/users/
>     ---
>     You received this message because you are subscribed to the Google
>     Groups "reviewboard" group.
>     To unsubscribe from this group and stop receiving emails from it,
>     send an email to reviewboard+unsubscr...@googlegroups.com
>     <mailto:reviewboard%2bunsubscr...@googlegroups.com>.
>     For more options, visit https://groups.google.com/d/optout.
> 
> 
> Just those in my case. I also needed to run 'restorecon -rv' on the
> '/var/www/reviewboard' directory to ensure that the correct contexts
> were set for httpd read access.
> 


Ah, I wasn't paying enough attention. I didn't notice that you had
actually installed the site into /var/www (I usually use
/srv/reviewboard). So the /var/www will probably end up with the right
contexts on restorecon, whereas other locations won't (without
additional help)

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to