On Wed, Jul 29, 2015 at 11:57 AM <mi...@lastminuterecords.com> wrote:

> Maybe not as specific as it should be, but:
>
>
> chcon -Rv --type=httpd_sys_content_t /var/www/
> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www(/.*)?"
> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/
> codereview.iacc.dis.gov(/.*)?"
> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/
> codereview.iacc.dis.gov/data/(/.*)?"
> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/
> codereview.iacc.dis.gov/htdocs/media/ext(/.*)?"
> semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/
> codereview.iacc.dis.gov/htdocs/static/ext(/.*)?"
> restorecon -R -v /var/www/
>
>
>
OK, so part of the problem is that you installed into the /var/www
directory. I've been trying to get /var/lib/reviewboard/sites/<sitename>
made into the standard location for these, because it's much easier to
create rules. (The /var/www path is assumed to have everything be HTML
content by the default SELinux policy). If we install into a known
reviewboard-specific path, the default policy on the system can understand
it and apply the right rules without manual input.

(Basically, the problem is that /var/www has no known structure that we can
write rules for; everything just gets the default website rules).

Note also that with recent versions of reviewboard, doing 'rb-site install
<sitename>' (without an absolute path) will default to
/var/lib/reviewboard/sites/<sitename> on Fedora/RHEL for this reason.)



> On Tuesday, June 25, 2013 at 11:27:06 AM UTC-5, Stephen Gallagher wrote:
>>
>> On 06/25/2013 12:24 PM, Matthew Woehlke wrote:
>> > On 2013-06-25 07:48, Stephen Gallagher wrote:
>> >> Yeah, my TODO list includes working up some SELinux rules for
>> >> ReviewBoard and getting rb-site to be capable of setting them up
>> during
>> >> installation. It's a pretty big task and low on my priority list right
>> >> now, unfortunately.
>> >
>> > Heh. I'm running with SELinux enabled. I can probably dig up the
>> > relevant *compiled* rules if those are of any use. I think I deleted
>> the
>> > 'source' files for them, however. (Yeah, bad decision in retrospect,
>> but
>> > haven't gotten around to trying to recreate them.)
>> >
>> > I don't think there are actually very many (maybe four, but at least
>> one
>> > is git specific; probably need additional rules for other VCS's).
>> >
>>
>> If you can figure out what they are, it would be a great start for me.
>>
>> I don't necessarily just need exception rules, though. We may want to
>> introduce new SELinux types for rules so we keep things constrained.
>> (Though since basically everything runs inside apache/mod_wsgi, we're
>> probably going to end up mostly using apache rules).
>>
>

-- 
Supercharge your Review Board with Power Pack: 
https://www.reviewboard.org/powerpack/
Want us to host Review Board for you? Check out RBCommons: 
https://rbcommons.com/
Happy user? Let us know! https://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to