On 08/22/2014 09:07 AM, Cian Mc Govern wrote: > On 22 August 2014 13:50, Stephen Gallagher <[email protected] > <mailto:[email protected]>> wrote: > > On 08/22/2014 07:04 AM, Cian Mc Govern wrote: > > > > To the professionals who work with Review Board > > > > I'm eager to get started with Review Board, but it's not > working out > > of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd > > 2.4.10. > > > > I can only work ReviewBoard if I turn off selinux, i.e. > "setenforce > > off." We cannot do this on production. > > > > Here are the audit logs associated with accessing review > board. Note > > there's more than just httpd in this mix, but also memcached. What > > access rights am I missing? > > > > type=AVC msg=audit(1408653306.680:2131): avc: denied { > > name_connect } for pid=17402 comm="httpd" dest=11211 > > scontext=system_u:system_r:httpd_t:s0 > > tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket > > type=SYSCALL msg=audit(1408653306.680:2131): arch=c000003e > > syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10 > > a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295 > > uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 > > fsgid=100 tty=(none) ses=4294967295 comm="httpd" > > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1408653306.680:2131): > > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > type=AVC msg=audit(1408653306.803:2132): avc: denied { write } > > for pid=17402 comm="httpd" name="data" dev="dm-8" ino=260102 > > scontext=system_u:system_r:httpd_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > > type=SYSCALL msg=audit(1408653306.803:2132): arch=c000003e > > syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2 > a2=7f80c6223f88 > > a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 > > euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 > > tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" > > subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1408653306.803:2132): > > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > type=AVC msg=audit(1408653306.803:2133): avc: denied { write } > > for pid=17402 comm="httpd" name="data" dev="dm-8" ino=260102 > > scontext=system_u:system_r:httpd_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > > type=SYSCALL msg=audit(1408653306.803:2133): arch=c000003e > > syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2 > a2=7f80c6223f88 > > a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 > > euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 > > tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" > > subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1408653306.803:2133): > > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > type=AVC msg=audit(1408653306.803:2134): avc: denied { write } > > for pid=17402 comm="httpd" name="ext" dev="dm-8" ino=260116 > > scontext=system_u:system_r:httpd_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > > type=SYSCALL msg=audit(1408653306.803:2134): arch=c000003e > > syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 > a2=7f80c6223f88 > > a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 > > euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 > > tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" > > subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1408653306.803:2134): > > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > type=AVC msg=audit(1408653306.803:2135): avc: denied { write } > > for pid=17402 comm="httpd" name="ext" dev="dm-8" ino=260116 > > scontext=system_u:system_r:httpd_t:s0 > > tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir > > type=SYSCALL msg=audit(1408653306.803:2135): arch=c000003e > > syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 > a2=7f80c6223f88 > > a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 > > euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 > > tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" > > subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1408653306.803:2135): > > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > > > -- > > Get the Review Board Power Pack at > http://www.reviewboard.org/powerpack/ > > --- > > Sign up for Review Board hosting at RBCommons: > https://rbcommons.com/ > > --- > > Happy user? Let us know at http://www.reviewboard.org/users/ > > --- > > You received this message because you are subscribed to the Google > > Groups "reviewboard" group. > > To unsubscribe from this group and stop receiving emails from it, > > send an email to [email protected] > <mailto:reviewboard%[email protected]> > > <mailto:[email protected] > <mailto:reviewboard%[email protected]>>. > > For more options, visit https://groups.google.com/d/optout. > > > > > > Here's a couple of selinux changes I had to make to run > ReviewBoard on a > > Fedora system with selinux enabled: > > > > "setsebool -P httpd_can_network_connect 1" -> This will fix the denial > > "name_connect" in your audit logs which is preventing httpd from > > communicating with memcached. > > > > I had to allow httpd to write to certain ReviewBoard directories so I > > needed to change the selinux context for those directories: > > > > "chcon -t httpd_sys_rw_content_t /var/www/reviewboard/data/" > > "chcon -t httpd_sys_rw_content_t > /var/www/reviewboard/htdocs/media/ext" > > "chcon -t httpd_sys_rw_content_t > /var/www/reviewboard/htdocs/static/ext" > > > > Also, for email notification to work, I needed to run the following to > > allow httpd to send emails: > > > > "setsebool -P httpd_can_sendmail on" > > > > Just the context for those directories, or the recursive set? > > -- > Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ > --- > Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ > --- > Happy user? Let us know at http://www.reviewboard.org/users/ > --- > You received this message because you are subscribed to the Google > Groups "reviewboard" group. > To unsubscribe from this group and stop receiving emails from it, > send an email to [email protected] > <mailto:reviewboard%[email protected]>. > For more options, visit https://groups.google.com/d/optout. > > > Just those in my case. I also needed to run 'restorecon -rv' on the > '/var/www/reviewboard' directory to ensure that the correct contexts > were set for httpd read access. >
Ah, I wasn't paying enough attention. I didn't notice that you had actually installed the site into /var/www (I usually use /srv/reviewboard). So the /var/www will probably end up with the right contexts on restorecon, whereas other locations won't (without additional help) -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups "reviewboard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
