Re: Testing 1.7.1 on Fedora 18
Hi Stephen, Thanks for working on the reviewboard 1.7 packages for Fedora 18. Do you have plans for building a reviewboard 1.7 package for the EPEL repo? Currently EPEL contains reviewboard 1.6.15. http://koji.fedoraproject.org/koji/packageinfo?packageID=9694 http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/ReviewBoard.html It's great to trial the latest and greatest on Fedora, but I'd like to use RHEL in production. Thanks, Paul From: p...@talk21.com p...@talk21.com To: Stephen Gallagher step...@gallagherhome.com Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com Sent: Tuesday, 8 January 2013, 12:42 Subject: Re: Testing 1.7.1 on Fedora 18 Hi Stephen, Bug raised as requested. I didn't see a place to set the CC field on the google/reviewboard bug tracker, so here's the URL so you can star it and get yourself CCed. http://code.google.com/p/reviewboard/issues/detail?id=2850 Thanks, Paul -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On Wed 16 Jan 2013 08:56:28 AM EST, p...@talk21.com wrote: Hi Stephen, Thanks for working on the reviewboard 1.7 packages for Fedora 18. Do you have plans for building a reviewboard 1.7 package for the EPEL repo? Currently EPEL contains reviewboard 1.6.15. http://koji.fedoraproject.org/koji/packageinfo?packageID=9694 http://dl.fedoraproject.org/pub/epel/6/x86_64/repoview/ReviewBoard.html It's great to trial the latest and greatest on Fedora, but I'd like to use RHEL in production. Thanks, Paul *From:* p...@talk21.com p...@talk21.com *To:* Stephen Gallagher step...@gallagherhome.com *Cc:* chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com *Sent:* Tuesday, 8 January 2013, 12:42 *Subject:* Re: Testing 1.7.1 on Fedora 18 Hi Stephen, Bug raised as requested. I didn't see a place to set the CC field on the google/reviewboard bug tracker, so here's the URL so you can star it and get yourself CCed. http://code.google.com/p/reviewboard/issues/detail?id=2850 Thanks, Paul Paul, yes I'm planning to get ReviewBoard 1.7 into EPEL 6 at some point. I haven't had the time yet (and there are many dependencies in EPEL 6 that need to be built first for it to work). It's on my radar, but I wouldn't expect to be able to finish it before the end of February at this point, given my $DAYJOB schedule right now. I'm willing to accept comaintainers in Fedora/EPEL if you would like to help :) The primary issues are: * Finish porting Node.js to EPEL 6 (this is the Big One and one that I'm working on for multiple projects right now) * Patch ReviewBoard so that it builds/runs with Django in a non-standard install location, since EPEL 6 has both Django (aka 1.3) and Django14 (aka 1.4) packages now, since 1.4 is not backwards-compatible. * Port any remaining Python dependencies to EPEL -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi Stephen, Bug raised as requested. I didn't see a place to set the CC field on the google/reviewboard bug tracker, so here's the URL so you can star it and get yourself CCed. http://code.google.com/p/reviewboard/issues/detail?id=2850 Thanks, Paul From: Stephen Gallagher step...@gallagherhome.com To: p...@talk21.com Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com Sent: Monday, 7 January 2013, 19:55 Subject: Re: Testing 1.7.1 on Fedora 18 On 01/04/2013 04:07 AM, p...@talk21.com wrote: Hi Stephen, The following AVC denied errors occur: 1) named_connect to port 11211 (memcached) type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile for httpd doesn't allow TCP connections to port 11211. This failure does not prevent reviewboard from working, but is likely to affect performance. Should the profile shipped with Fedora be extended to allow these connections by default? It's a boolean in the shipped configuration: setsebool -P httpd_can_network_memcache 1 [Unix permissions] Reviewboard initially detects that write permission is not available and returns a web page instructing the user to grant write permission with these commands: $ sudo chown -R apache /var/www/reviewboard/data $ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext Once the permissions are changed, SELinux still prevents write access. The individual permissions have nothing to do with SELinux. As I said in my other email, you need to make sure these files have the right context set (or install the site into /var/www/html, but I don't recommend that). 2) write to ext directory type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 comm=httpd name=ext dev=dm-1 ino=1896 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir SELinux context is currently: $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ Suggestion from SELinux Trouble shooter fixed this issue: $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ I agree it would be difficult for Fedora to predict where a reviewboard site would be placed. Would it be possible for rb-site install to set the SELinux security contexts of the files it creates? I know this is possible from the libsemanage-python package. We could probably rig something up, but it's not going to be a trivial patch. Could you open a bug on the Review Board tracker about this and make sure I'm CCed on it, please? Christian, I'll look into this one since I have a (limited) SELinux background. It would certainly be nice to have Review Board properly protected by SELinux. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:07 AM, p...@talk21.com wrote: Hi Stephen, The following AVC denied errors occur: 1) named_connect to port 11211 (memcached) type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile for httpd doesn't allow TCP connections to port 11211. This failure does not prevent reviewboard from working, but is likely to affect performance. Should the profile shipped with Fedora be extended to allow these connections by default? It's a boolean in the shipped configuration: setsebool -P httpd_can_network_memcache 1 [Unix permissions] Reviewboard initially detects that write permission is not available and returns a web page instructing the user to grant write permission with these commands: $ sudo chown -R apache /var/www/reviewboard/data $ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext Once the permissions are changed, SELinux still prevents write access. The individual permissions have nothing to do with SELinux. As I said in my other email, you need to make sure these files have the right context set (or install the site into /var/www/html, but I don't recommend that). 2) write to ext directory type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 comm=httpd name=ext dev=dm-1 ino=1896 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir SELinux context is currently: $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ Suggestion from SELinux Trouble shooter fixed this issue: $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ I agree it would be difficult for Fedora to predict where a reviewboard site would be placed. Would it be possible for rb-site install to set the SELinux security contexts of the files it creates? I know this is possible from the libsemanage-python package. We could probably rig something up, but it's not going to be a trivial patch. Could you open a bug on the Review Board tracker about this and make sure I'm CCed on it, please? Christian, I'll look into this one since I have a (limited) SELinux background. It would certainly be nice to have Review Board properly protected by SELinux. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:30 AM, p...@talk21.com wrote: Hi Stephen, Another SELinux error I missed: 3) write to data directory Occurs when user tries to login. type=AVC msg=audit(1357290519.860:433): avc: denied { write } for pid=1666 comm=httpd name=data dev=dm-1 ino=1884 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir As with the ext directory, this was fixed using the suggestion from SELinux trouble shooter: $ ls -ldZ /var/www/reviewboard/data drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/data $ sudo restorecon -v /var/www/reviewboard/data/ restorecon reset /var/www/reviewboard/data context unconfined_u:object_r:httpd_sys_content_t:s0-unconfined_u:object_r:httpd_sys_rw_content_t:s0 $ ls -ldZ /var/www/reviewboard/data drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/data I think this will be corrected when we add the semanage support to rb-site. Fixing the two write denials allows reviewboard to function normally. Regarding memcached, in addition to the SELinux named_connect restriction, the memcached package is not installed. It's not a mandatory dependency of reviewboard, however the rb-site script does configure it by default. Should memcached be required by the F18 reviewboard package? This is basically intentional. On Fedora, we don't have the Debian/Ubuntu concept of Recommends: packages. As a rule, we try to install the minimal subset of packages that are needed in order to operate. Since ReviewBoard *can* function without memcached installed on the local system (it can either connect to a remote memcached server or use a local file cache), it's not a hard dependency. This policy is in place to keep the amount of cruft down on a particular system especially if it's being installed somewhere with limited space (such as a small VM). I'm technically already bending this policy by installing the client libraries for MySQL, PostgreSQL, SQLite and memcached alongside ReviewBoard, but they're all very small and none of those are system services that require their own configuration. A couple of commands allowed reviewboard to make use of memcached. This was verified by seeing the server cache stats present on the admin dashboard. $ sudo yum install memcached $ sudo systemctl start memcached.service Yes, this is the proper way to run memcached. Though as I said, it does not need to run on the same machine as Review Board. For example, the site we're running in the Fedora Infrastructure is connected to an external memcached server (shared with multiple other web apps, but on dedicated hardware). -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On 01/04/2013 04:34 PM, Christian Hammond wrote: If we can do anything intelligent in rb-site to handle this, I'll happily take a patch for it. It'd have to be conditional on SELinux actually being on there, though. Yeah, the conditional should be easy. libsemanage-python can check whether SELinux is supported by the kernel, and as long as it is (even if its in permissive mode) we'll be able to set the permissions. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Bug created as requested: http://code.google.com/p/reviewboard/issues/detail?id=2846 Thanks, Paul From: Christian Hammond chip...@chipx86.com To: p...@talk21.com Cc: reviewboard@googlegroups.com reviewboard@googlegroups.com; Stephen Gallagher step...@gallagherhome.com Sent: Friday, 4 January 2013, 0:27 Subject: Re: Testing 1.7.1 on Fedora 18 Hi, On Thu, Jan 3, 2013 at 8:47 AM, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. Hi Christian, With my test site up and running, I had a brief look around. Here are a few issues I noticed on the admin pages: On the Admin dashboard, System Information section on left hand side 1) Both Review Emails and Email TLS Authentication are hyperlinks to the same page. Should they be different links or would one link would be sufficient? Yeah, they're just all quick ways of jumping to the setting for the page. The sidebar is meant to be a quick at-a-glance of certain setting values, and clicking on them takes you to the page containing that setting. There's going to be some overlap. 2) Indexed Search links to /admin/settings/general, which is the same as the General link at the system settings section. Perhaps this is influence by my install not having PyLucene. Should Indexed Search link to a different page? Nope, same as above. 3) General Settings admin page mentions PyLucene (with JCC) is required to enable search. See the documentation for instructions.. The documentation link points to http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/ however that serves up a 404 Not Found page. I'll make sure to fix the link for the next release. 4) Review Board Activity: Clicking on the four toggle buttons (Reviews, Comments, Review Requests, Changes) affects how much data is plotted. The graph goes from four datasets down to one. Deactivating the last toggle greys out the last button, but doesn't remove the last dataset from the graph (tested on Firefox 17, Fedora 17). Would you mind filing a bug on this one? I'll see what we can do about it. Hoping to get some unit tests in place for these widgets in time. Thanks! Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi Stephen, The following AVC denied errors occur: 1) named_connect to port 11211 (memcached) type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile for httpd doesn't allow TCP connections to port 11211. This failure does not prevent reviewboard from working, but is likely to affect performance. Should the profile shipped with Fedora be extended to allow these connections by default? [Unix permissions] Reviewboard initially detects that write permission is not available and returns a web page instructing the user to grant write permission with these commands: $ sudo chown -R apache /var/www/reviewboard/data $ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext Once the permissions are changed, SELinux still prevents write access. 2) write to ext directory type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 comm=httpd name=ext dev=dm-1 ino=1896 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir SELinux context is currently: $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ Suggestion from SELinux Trouble shooter fixed this issue: $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ I agree it would be difficult for Fedora to predict where a reviewboard site would be placed. Would it be possible for rb-site install to set the SELinux security contexts of the files it creates? Thanks, Paul From: Stephen Gallagher step...@gallagherhome.com To: p...@talk21.com Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com Sent: Thursday, 3 January 2013, 18:25 Subject: Re: Testing 1.7.1 on Fedora 18 On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. We can't really make this easier because we don't have advance knowledge of where you're installing the Review Board site. I *think* what you need to do is set the following SELinux contexts (with 'chcon -t context file' or 'chcon -R -r context directory'): 1) apache-wsgi.conf needs to be httpd_config_t 2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be httpd_sys_content_t What else did the Troubleshooter say? I'm naming those from memory. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi Stephen, Another SELinux error I missed: 3) write to data directory Occurs when user tries to login. type=AVC msg=audit(1357290519.860:433): avc: denied { write } for pid=1666 comm=httpd name=data dev=dm-1 ino=1884 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir As with the ext directory, this was fixed using the suggestion from SELinux trouble shooter: $ ls -ldZ /var/www/reviewboard/data drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/data $ sudo restorecon -v /var/www/reviewboard/data/ restorecon reset /var/www/reviewboard/data context unconfined_u:object_r:httpd_sys_content_t:s0-unconfined_u:object_r:httpd_sys_rw_content_t:s0 $ ls -ldZ /var/www/reviewboard/data drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/data Fixing the two write denials allows reviewboard to function normally. Regarding memcached, in addition to the SELinux named_connect restriction, the memcached package is not installed. It's not a mandatory dependency of reviewboard, however the rb-site script does configure it by default. Should memcached be required by the F18 reviewboard package? A couple of commands allowed reviewboard to make use of memcached. This was verified by seeing the server cache stats present on the admin dashboard. $ sudo yum install memcached $ sudo systemctl start memcached.service Thanks, Paul From: p...@talk21.com p...@talk21.com To: Stephen Gallagher step...@gallagherhome.com Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com Sent: Friday, 4 January 2013, 9:07 Subject: Re: Testing 1.7.1 on Fedora 18 Hi Stephen, The following AVC denied errors occur: 1) named_connect to port 11211 (memcached) type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile for httpd doesn't allow TCP connections to port 11211. This failure does not prevent reviewboard from working, but is likely to affect performance. Should the profile shipped with Fedora be extended to allow these connections by default? [Unix permissions] Reviewboard initially detects that write permission is not available and returns a web page instructing the user to grant write permission with these commands: $ sudo chown -R apache /var/www/reviewboard/data $ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext Once the permissions are changed, SELinux still prevents write access. 2) write to ext directory type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 comm=httpd name=ext dev=dm-1 ino=1896 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir SELinux context is currently: $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ Suggestion from SELinux Trouble shooter fixed this issue: $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ I agree it would be difficult for Fedora to predict where a reviewboard site would be placed. Would it be possible for rb-site install to set the SELinux security contexts of the files it creates? Thanks, Paul From: Stephen Gallagher step...@gallagherhome.com To: p...@talk21.com Cc: chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com Sent: Thursday, 3 January 2013, 18:25 Subject: Re: Testing 1.7.1 on Fedora 18 On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. We can't really make this easier because we don't have advance knowledge of where you're installing the Review Board site. I *think* what you need to do is set the following SELinux contexts (with 'chcon -t context file' or 'chcon -R -r context directory'): 1) apache-wsgi.conf needs to be httpd_config_t 2
Re: Testing 1.7.1 on Fedora 18
On 2013-01-04 04:07, p...@talk21.com wrote: Hi Stephen, The following AVC denied errors occur: snip? You know... just FYI, now that you mention it, I remember I had to tweak SELinux on my system... Specifically, I had to allow access to postgresql, git and LDAP. (Probably need to do likewise for the appropriate database backend, as well as any VCS or authentication method in use; those are just the ones I'm using.) -- Matthew -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
If we can do anything intelligent in rb-site to handle this, I'll happily take a patch for it. It'd have to be conditional on SELinux actually being on there, though. Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com On Fri, Jan 4, 2013 at 1:07 AM, p...@talk21.com wrote: Hi Stephen, The following AVC denied errors occur: 1) named_connect to port 11211 (memcached) type=AVC msg=audit(1357289094.993:338): avc: denied { name_connect } for pid=1668 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Reviewboard 1.7.1 by default uses memcached, it seems like the SELinux profile for httpd doesn't allow TCP connections to port 11211. This failure does not prevent reviewboard from working, but is likely to affect performance. Should the profile shipped with Fedora be extended to allow these connections by default? [Unix permissions] Reviewboard initially detects that write permission is not available and returns a web page instructing the user to grant write permission with these commands: $ sudo chown -R apache /var/www/reviewboard/data $ sudo chown -R apache /var/www/reviewboard/htdocs/media/ext Once the permissions are changed, SELinux still prevents write access. 2) write to ext directory type=AVC msg=audit(1357289565.991:401): avc: denied { write } for pid=1665 comm=httpd name=ext dev=dm-1 ino=1896 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir SELinux context is currently: $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ Suggestion from SELinux Trouble shooter fixed this issue: $ sudo restorecon -v /var/www/reviewboard/htdocs/media/ext $ ls -ldZ /var/www/reviewboard/htdocs/media/ext/ drwxrwxr-x. apache pafee unconfined_u:object_r:httpd_sys_rw_content_t:s0 /var/www/reviewboard/htdocs/media/ext/ I agree it would be difficult for Fedora to predict where a reviewboard site would be placed. Would it be possible for rb-site install to set the SELinux security contexts of the files it creates? Thanks, Paul -- *From:* Stephen Gallagher step...@gallagherhome.com *To:* p...@talk21.com *Cc:* chip...@chipx86.com chip...@chipx86.com; Christian Hammond chip...@gmail.com; reviewboard@googlegroups.com reviewboard@googlegroups.com *Sent:* Thursday, 3 January 2013, 18:25 *Subject:* Re: Testing 1.7.1 on Fedora 18 On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. We can't really make this easier because we don't have advance knowledge of where you're installing the Review Board site. I *think* what you need to do is set the following SELinux contexts (with 'chcon -t context file' or 'chcon -R -r context directory'): 1) apache-wsgi.conf needs to be httpd_config_t 2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be httpd_sys_content_t What else did the Troubleshooter say? I'm naming those from memory. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
On Thu 03 Jan 2013 11:47:06 AM EST, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. We can't really make this easier because we don't have advance knowledge of where you're installing the Review Board site. I *think* what you need to do is set the following SELinux contexts (with 'chcon -t context file' or 'chcon -R -r context directory'): 1) apache-wsgi.conf needs to be httpd_config_t 2) $SITE_DIR/htdocs and $SITE_DIR/data (if using an SQLITE DB) need to be httpd_sys_content_t What else did the Troubleshooter say? I'm naming those from memory. -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en
Re: Testing 1.7.1 on Fedora 18
Hi, On Thu, Jan 3, 2013 at 8:47 AM, p...@talk21.com wrote: Hi Stephen, After running rb-site install and visiting the website, I get errors about a couple of directories not being writeable. The web page helpfully suggests a couple of chmod -R commands. However on Fedora the SELinux profile for the httpd process prevents writing regardless of unix permissions. I'm not sure if there's anything Fedora can do to make that easier for users, perhaps it's just something to document. The SELinux Troubleshooter correctly indicates how to workaround this issue. Hi Christian, With my test site up and running, I had a brief look around. Here are a few issues I noticed on the admin pages: On the Admin dashboard, System Information section on left hand side 1) Both Review Emails and Email TLS Authentication are hyperlinks to the same page. Should they be different links or would one link would be sufficient? Yeah, they're just all quick ways of jumping to the setting for the page. The sidebar is meant to be a quick at-a-glance of certain setting values, and clicking on them takes you to the page containing that setting. There's going to be some overlap. 2) Indexed Search links to /admin/settings/general, which is the same as the General link at the system settings section. Perhaps this is influence by my install not having PyLucene. Should Indexed Search link to a different page? Nope, same as above. 3) General Settings admin page mentions PyLucene (with JCC) is required to enable search. See the documentationhttp://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/for instructions.. The documentation link points to http://www.reviewboard.org/docs/manual/dev/admin/sites/enabling-search/however that serves up a 404 Not Found page. I'll make sure to fix the link for the next release. 4) Review Board Activity: Clicking on the four toggle buttons (Reviews, Comments, Review Requests, Changes) affects how much data is plotted. The graph goes from four datasets down to one. Deactivating the last toggle greys out the last button, but doesn't remove the last dataset from the graph (tested on Firefox 17, Fedora 17). Would you mind filing a bug on this one? I'll see what we can do about it. Hoping to get some unit tests in place for these widgets in time. Thanks! Christian -- Christian Hammond - chip...@chipx86.com Review Board - http://www.reviewboard.org VMware, Inc. - http://www.vmware.com -- Want to help the Review Board project? Donate today at http://www.reviewboard.org/donate/ Happy user? Let us know at http://www.reviewboard.org/users/ -~--~~~~--~~--~--~--- To unsubscribe from this group, send email to reviewboard+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/reviewboard?hl=en