Re: Testing 1.7.1 on Fedora 18
Hi Stephen, Thanks for working on the reviewboard 1.7 packages for Fedora 18. Do you have plans for building a reviewboard 1.7 package for the EPEL repo? Currently EPEL contains reviewboard 1.6.15. http://koji.fedoraproject.org/koji/packageinfo?packageID=9694 http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/ReviewBoard.html It's great to trial the latest and greatest on Fedora, but I'd like to use RHEL in production. Thanks, Paul From: p...@talk21.com p...@talk21.com To: Stephen Gallagher step...@gallagherhome.com Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com Sent: Tuesday, 8 January 2013, 12:42 Subject: Re: Testing 1.7.1 on Fedora 18 Hi Stephen, Bug raised as requested. I didn't see a place to set the CC field on the google/reviewboard bug tracker, so here's the URL so you can star it and get yourself CCed. http://code.google.com/p/reviewboard/issues/detail?id=2850 Thanks, Paul -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On Wed 16 Jan 2013 08:56:28 AM EST, p...@talk21.com wrote: Hi Stephen, Thanks for working on the reviewboard 1.7 packages for Fedora 18. Do you have plans for building a reviewboard 1.7 package for the EPEL repo? Currently EPEL contains reviewboard 1.6.15. http://koji.fedoraproject.org/koji/packageinfo?packageID=9694 http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/ReviewBoard.html It's great to trial the latest and greatest on Fedora, but I'd like to use RHEL in production. Thanks, Paul *From:* p...@talk21.com p...@talk21.com *To:* Stephen Gallagher step...@gallagherhome.com *Cc:* chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com *Sent:* Tuesday, 8 January 2013, 12:42 *Subject:* Re: Testing 1.7.1 on Fedora 18 Hi Stephen, Bug raised as requested. I didn't see a place to set the CC field on the google/reviewboard bug tracker, so here's the URL so you can star it and get yourself CCed. http://code.google.com/p/reviewboard/issues/detail?id=2850 Thanks, Paul Paul, yes I'm planning to get ReviewBoard 1.7 into EPEL 6 at some point. I haven't had the time yet (and there are many dependencies in EPEL 6 that need to be built first for it to work). It's on my radar, but I wouldn't expect to be able to finish it before the end of February at this point, given my $DAYJOB schedule right now. I'm willing to accept comaintainers in Fedora/EPEL if you would like to help :) The primary issues are: * Finish porting Node.js to EPEL 6 (this is the Big One and one that I'm working on for multiple projects right now) * Patch ReviewBoard so that it builds/runs with Django in a non-standard install location, since EPEL 6 has both Django (aka 1.3) and Django14 (aka 1.4) packages now, since 1.4 is not backwards-compatible. * Port any remaining Python dependencies to EPEL -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi Stephen,
Bug raised as requested. I didn't see a place to set the CC field on the
google/reviewboard bug tracker, so here's the URL so you can star it and get
yourself CCed.
http://code.google.com/p/reviewboard/issues/detail?id=2850
Thanks,
Paul
From: Stephen Gallagher step...@gallagherhome.com
To: p...@talk21.com
Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond
chip...@gmail.com; reviewboard@googlegroups.com
reviewboard@googlegroups.com
Sent: Monday, 7 January 2013, 19:55
Subject: Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:07 AM, p...@talk21.com wrote:
Hi Stephen,
The following AVC denied errors occur:
1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect }
for pid=1668 comm=httpd dest=11211
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
profile for httpd doesn't allow TCP connections to port 11211. This
failure does not prevent reviewboard from working, but is likely to
affect performance. Should the profile shipped with Fedora be extended
to allow these connections by default?
It's a boolean in the shipped configuration:
setsebool -P httpd_can_network_memcache 1
[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with
these commands:
$ sudo chown -R apache /var/www/reviewboard/data
$ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext
Once the permissions are changed, SELinux still prevents write access.
The individual permissions have nothing to do with SELinux. As I said in
my other email, you need to make sure these files have the right context
set (or install the site into /var/www/html, but I don't recommend that).
2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc: denied { write } for
pid=1665 comm=httpd name=ext dev=dm-1 ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
I agree it would be difficult for Fedora to predict where a reviewboard
site would be placed. Would it be possible for rb-site install to set
the SELinux security contexts of the files it creates?
I know this is possible from the libsemanage-python package. We could
probably rig something up, but it's not going to be a trivial patch.
Could you open a bug on the Review Board tracker about this and make
sure I'm CCed on it, please? Christian, I'll look into this one since I
have a (limited) SELinux background.
It would certainly be nice to have Review Board properly protected by
SELinux.
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:07 AM, p...@talk21.com wrote:
Hi Stephen,
The following AVC denied errors occur:
1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect }
for pid=1668 comm=httpd dest=11211
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
profile for httpd doesn't allow TCP connections to port 11211. This
failure does not prevent reviewboard from working, but is likely to
affect performance. Should the profile shipped with Fedora be extended
to allow these connections by default?
It's a boolean in the shipped configuration:
setsebool -P httpd_can_network_memcache 1
[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with
these commands:
$ sudo chown -R apache /var/www/reviewboard/data
$ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext
Once the permissions are changed, SELinux still prevents write access.
The individual permissions have nothing to do with SELinux. As I said in
my other email, you need to make sure these files have the right context
set (or install the site into /var/www/html, but I don't recommend that).
2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc: denied { write } for
pid=1665 comm=httpd name=ext dev=dm-1 ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
I agree it would be difficult for Fedora to predict where a reviewboard
site would be placed. Would it be possible for rb-site install to set
the SELinux security contexts of the files it creates?
I know this is possible from the libsemanage-python package. We could
probably rig something up, but it's not going to be a trivial patch.
Could you open a bug on the Review Board tracker about this and make
sure I'm CCed on it, please? Christian, I'll look into this one since I
have a (limited) SELinux background.
It would certainly be nice to have Review Board properly protected by
SELinux.
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:30 AM, p...@talk21.com wrote:
Hi Stephen,
Another SELinux error I missed:
3) write to data directory
Occurs when user tries to login.
type=AVC msg=audit(1357290519.860:433): avc: denied { write } for
pid=1666 comm=httpd name=data dev=dm-1 ino=1884
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
As with the ext directory, this was fixed using the suggestion from
SELinux trouble shooter:
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/data
$ sudo restorecon -v /var/www/reviewboard/data/
restorecon reset /var/www/reviewboard/data context
unconfined_u:object_r:httpd_sys_content_t:s0-unconfined_u:object_r:httpd_sys_rw_content_t:s0
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/data
I think this will be corrected when we add the semanage support to rb-site.
Fixing the two write denials allows reviewboard to function normally.
Regarding memcached, in addition to the SELinux named_connect
restriction, the memcached package is not installed. It's not a
mandatory dependency of reviewboard, however the rb-site script does
configure it by default. Should memcached be required by the F18
reviewboard package?
This is basically intentional. On Fedora, we don't have the
Debian/Ubuntu concept of Recommends: packages. As a rule, we try to
install the minimal subset of packages that are needed in order to
operate. Since ReviewBoard *can* function without memcached installed on
the local system (it can either connect to a remote memcached server or
use a local file cache), it's not a hard dependency.
This policy is in place to keep the amount of cruft down on a particular
system especially if it's being installed somewhere with limited space
(such as a small VM).
I'm technically already bending this policy by installing the client
libraries for MySQL, PostgreSQL, SQLite and memcached alongside
ReviewBoard, but they're all very small and none of those are system
services that require their own configuration.
A couple of commands allowed reviewboard to make use of memcached. This
was verified by seeing the server cache stats present on the admin
dashboard.
$ sudo yum install memcached
$ sudo systemctl start memcached.service
Yes, this is the proper way to run memcached. Though as I said, it does
not need to run on the same machine as Review Board. For example, the
site we're running in the Fedora Infrastructure is connected to an
external memcached server (shared with multiple other web apps, but on
dedicated hardware).
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:34 PM, Christian Hammond wrote: If we can do anything intelligent in rb-site to handle this, I'll happily take a patch for it. It'd have to be conditional on SELinux actually being on there, though. Yeah, the conditional should be easy. libsemanage-python can check whether SELinux is supported by the kernel, and as long as it is (even if its in permissive mode) we'll be able to set the permissions. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Bug created as requested: http://code.google.com/p/reviewboard/issues/detail?id=2846 Thanks, Paul From: Christian Hammond chip...@chipx86.com To: p...@talk21.com Cc: reviewboard@googlegroups.com reviewboard@googlegroups.com; Stephen Gallagher step...@gallagherhome.com Sent: Friday, 4 January 2013, 0:27 Subject: Re: Testing 1.7.1 on Fedora 18 Hi, On Thu, Jan 3, 2013 at 8:47 AM, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. Hi Christian, With my test site up and running, I had a brief look around. Here are a few issues I noticed on the admin pages: On the Admin dashboard, System Information section on left hand side 1) Both Review Emails and Email TLS Authentication are hyperlinks to the same page. Should they be different links or would one link would be sufficient? Yeah, they're just all quick ways of jumping to the setting for the page. The sidebar is meant to be a quick at-a-glance of certain setting values, and clicking on them takes you to the page containing that setting. There's going to be some overlap. 2) Indexed Search links to /admin/settings/general, which is the same as the General link at the system settings section. Perhaps this is influence by my install not having PyLucene. Should Indexed Search link to a different page? Nope, same as above. 3) General Settings admin page mentions PyLucene (with JCC) is required to enable search. See the documentation for instructions.. The documentation link points to http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/ however that serves up a 404 Not Found page. I'll make sure to fix the link for the next release. 4) Review Board Activity: Clicking on the four toggle buttons (Reviews, Comments, Review Requests, Changes) affects how much data is plotted. The graph goes from four datasets down to one. Deactivating the last toggle greys out the last button, but doesn't remove the last dataset from the graph (tested on Firefox 17, Fedora 17). Would you mind filing a bug on this one? I'll see what we can do about it. Hoping to get some unit tests in place for these widgets in time. Thanks! Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi Stephen,
The following AVC denied errors occur:
1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for
pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile
for httpd doesn't allow TCP connections to port 11211. This failure does not
prevent reviewboard from working, but is likely to affect performance. Should
the profile shipped with Fedora be extended to allow these connections by
default?
[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with these
commands:
$ sudo chown -R apache /var/www/reviewboard/data
$ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext
Once the permissions are changed, SELinux still prevents write access.
2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665
comm=httpd name=ext dev=dm-1 ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
I agree it would be difficult for Fedora to predict where a reviewboard site
would be placed. Would it be possible for rb-site install to set the SELinux
security contexts of the files it creates?
Thanks,
Paul
From: Stephen Gallagher step...@gallagherhome.com
To: p...@talk21.com
Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond
chip...@gmail.com; reviewboard@googlegroups.com
reviewboard@googlegroups.com
Sent: Thursday, 3 January 2013, 18:25
Subject: Re: Testing 1.7.1 on Fedora 18
On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
Hi Stephen,
After running rb-site install and visiting the website, I get errors
about a couple of directories not being writeable. The web page
helpfully suggests a couple of chmod -R commands. However on Fedora
the SELinux profile for the httpd process prevents writing regardless
of unix permissions. I'm not sure if there's anything Fedora can do
to make that easier for users, perhaps it's just something to
document. The SELinux Troubleshooter correctly indicates how to
workaround this issue.
We can't really make this easier because we don't have advance knowledge of
where you're installing the Review Board site. I *think* what you need to do
is set the following SELinux contexts (with 'chcon -t context file' or
'chcon -R -r context directory'):
1) apache-wsgi.conf needs to be httpd_config_t
2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be
httpd_sys_content_t
What else did the Troubleshooter say? I'm naming those from memory.
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi Stephen,
Another SELinux error I missed:
3) write to data directory
Occurs when user tries to login.
type=AVC msg=audit(1357290519.860:433): avc: denied { write } for pid=1666
comm=httpd name=data dev=dm-1 ino=1884
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
As with the ext directory, this was fixed using the suggestion from SELinux
trouble shooter:
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/data
$ sudo restorecon -v /var/www/reviewboard/data/
restorecon reset /var/www/reviewboard/data context
unconfined_u:object_r:httpd_sys_content_t:s0-unconfined_u:object_r:httpd_sys_rw_content_t:s0
$ ls -ldZ /var/www/reviewboard/data
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/data
Fixing the two write denials allows reviewboard to function normally.
Regarding memcached, in addition to the SELinux named_connect restriction, the
memcached package is not installed. It's not a mandatory dependency of
reviewboard, however the rb-site script does configure it by default. Should
memcached be required by the F18 reviewboard package?
A couple of commands allowed reviewboard to make use of memcached. This was
verified by seeing the server cache stats present on the admin dashboard.
$ sudo yum install memcached
$ sudo systemctl start memcached.service
Thanks,
Paul
From: p...@talk21.com p...@talk21.com
To: Stephen Gallagher step...@gallagherhome.com
Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond
chip...@gmail.com; reviewboard@googlegroups.com
reviewboard@googlegroups.com
Sent: Friday, 4 January 2013, 9:07
Subject: Re: Testing 1.7.1 on Fedora 18
Hi Stephen,
The following AVC denied errors occur:
1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for
pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile
for httpd doesn't allow TCP connections to port 11211. This failure does not
prevent reviewboard from working, but is likely to affect performance. Should
the profile shipped with Fedora be extended to allow these connections by
default?
[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with these
commands:
$ sudo chown -R apache /var/www/reviewboard/data
$ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext
Once the permissions are changed, SELinux still prevents write access.
2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665
comm=httpd name=ext dev=dm-1 ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
I agree it would be difficult for Fedora to predict where a reviewboard site
would be placed. Would it be possible for rb-site install to set the
SELinux security contexts of the files it creates?
Thanks,
Paul
From: Stephen Gallagher step...@gallagherhome.com
To: p...@talk21.com
Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond
chip...@gmail.com; reviewboard@googlegroups.com
reviewboard@googlegroups.com
Sent: Thursday, 3 January 2013, 18:25
Subject: Re: Testing 1.7.1 on Fedora 18
On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
Hi Stephen,
After running rb-site install and visiting the website, I get errors
about a couple of directories not being writeable.
The web page
helpfully suggests a couple of chmod -R commands. However on Fedora
the SELinux profile for the httpd process prevents writing regardless
of unix permissions. I'm not sure if there's anything Fedora can do
to make that easier for users, perhaps it's just something to
document. The SELinux Troubleshooter correctly indicates how to
workaround this issue.
We can't really make this easier because we don't have advance knowledge of
where you're installing the Review Board site. I *think* what you need to do
is set the following SELinux contexts (with 'chcon -t context file' or
'chcon -R -r context directory'):
1) apache-wsgi.conf needs to be httpd_config_t
2
Re: Testing 1.7.1 on Fedora 18
On 2013-01-04 04:07, p...@talk21.com wrote: Hi Stephen, The following AVC denied errors occur: snip? You know... just FYI, now that you mention it, I remember I had to tweak SELinux on my system... Specifically, I had to allow access to postgresql, git and LDAP. (Probably need to do likewise for the appropriate database backend, as well as any VCS or authentication method in use; those are just the ones I'm using.) -- Matthew -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
If we can do anything intelligent in rb-site to handle this, I'll happily
take a patch for it. It'd have to be conditional on SELinux actually being
on there, though.
Christian
--
Christian Hammond - chip...@chipx86.com
Review Board - http://www.reviewboard.org
VMware, Inc. - http://www.vmware.com
On Fri, Jan 4, 2013 at 1:07 AM, p...@talk21.com wrote:
Hi Stephen,
The following AVC denied errors occur:
1) named_connect to port 11211 (memcached)
type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect }
for pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux
profile for httpd doesn't allow TCP connections to port 11211. This
failure does not prevent reviewboard from working, but is likely to affect
performance. Should the profile shipped with Fedora be extended to allow
these connections by default?
[Unix permissions]
Reviewboard initially detects that write permission is not available and
returns a web page instructing the user to grant write permission with
these commands:
$ sudo chown -R apache /var/www/reviewboard/data
$ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext
Once the permissions are changed, SELinux still prevents write access.
2) write to ext directory
type=AVC msg=audit(1357289565.991:401): avc: denied { write } for
pid=1665 comm=httpd name=ext dev=dm-1 ino=1896
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
SELinux context is currently:
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
Suggestion from SELinux Trouble shooter fixed this issue:
$ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext
$ ls -ldZ /var/www/reviewboard/htdocs/media/ext/
drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0
/var/www/reviewboard/htdocs/media/ext/
I agree it would be difficult for Fedora to predict where a reviewboard
site would be placed. Would it be possible for rb-site install to set
the SELinux security contexts of the files it creates?
Thanks,
Paul
--
*From:* Stephen Gallagher step...@gallagherhome.com
*To:* p...@talk21.com
*Cc:* chip...@chipx86.com chip...@chipx86.com; Christian Hammond
chip...@gmail.com; reviewboard@googlegroups.com
reviewboard@googlegroups.com
*Sent:* Thursday, 3 January 2013, 18:25
*Subject:* Re: Testing 1.7.1 on Fedora 18
On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote:
Hi Stephen,
After running rb-site install and visiting the website, I get errors
about a couple of directories not being writeable. The web page
helpfully suggests a couple of chmod -R commands. However on Fedora
the SELinux profile for the httpd process prevents writing regardless
of unix permissions. I'm not sure if there's anything Fedora can do
to make that easier for users, perhaps it's just something to
document. The SELinux Troubleshooter correctly indicates how to
workaround this issue.
We can't really make this easier because we don't have advance knowledge
of where you're installing the Review Board site. I *think* what you need
to do is set the following SELinux contexts (with 'chcon -t context file'
or 'chcon -R -r context directory'):
1) apache-wsgi.conf needs to be httpd_config_t
2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be
httpd_sys_content_t
What else did the Troubleshooter say? I'm naming those from memory.
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
--
Want to help the Review Board project? Donate today at
http://www.reviewboard.org/donate/
Happy user? Let us know at http://www.reviewboard.org/users/
-~--~~~~--~~--~--~---
To unsubscribe from this group, send email to
reviewboard+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. We can't really make this easier because we don't have advance knowledge of where you're installing the Review Board site. I *think* what you need to do is set the following SELinux contexts (with 'chcon -t context file' or 'chcon -R -r context directory'): 1) apache-wsgi.conf needs to be httpd_config_t 2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be httpd_sys_content_t What else did the Troubleshooter say? I'm naming those from memory. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi, On Thu, Jan 3, 2013 at 8:47 AM, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. Hi Christian, With my test site up and running, I had a brief look around. Here are a few issues I noticed on the admin pages: On the Admin dashboard, System Information section on left hand side 1) Both Review Emails and Email TLS Authentication are hyperlinks to the same page. Should they be different links or would one link would be sufficient? Yeah, they're just all quick ways of jumping to the setting for the page. The sidebar is meant to be a quick at-a-glance of certain setting values, and clicking on them takes you to the page containing that setting. There's going to be some overlap. 2) Indexed Search links to /admin/settings/general, which is the same as the General link at the system settings section. Perhaps this is influence by my install not having PyLucene. Should Indexed Search link to a different page? Nope, same as above. 3) General Settings admin page mentions PyLucene (with JCC) is required to enable search. See the documentationhttp://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/for instructions.. The documentation link points to http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/however that serves up a 404 Not Found page. I'll make sure to fix the link for the next release. 4) Review Board Activity: Clicking on the four toggle buttons (Reviews, Comments, Review Requests, Changes) affects how much data is plotted. The graph goes from four datasets down to one. Deactivating the last toggle greys out the last button, but doesn't remove the last dataset from the graph (tested on Firefox 17, Fedora 17). Would you mind filing a bug on this one? I'll see what we can do about it. Hoping to get some unit tests in place for these widgets in time. Thanks! Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
