Re: se linux blocking review board
To the professionals who work with Review Board I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. Here are the audit logs associated with accessing review board. Note there's more than just httpd in this mix, but also memcached. What access rights am I missing? type=AVC msg=audit(1408653306.680:2131): avc: denied { name_connect } for pid=17402 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1408653306.680:2131): arch=c03e syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10 a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.680:2131): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2132): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2132): arch=c03e syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2132): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2133): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2133): arch=c03e syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2133): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2134): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2134): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2134): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2135): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2135): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2135): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Here's a couple of selinux changes I had to make to run ReviewBoard on a Fedora system with selinux enabled: setsebool -P httpd_can_network_connect 1 - This will fix the denial name_connect in your audit logs which is preventing httpd from communicating with memcached. I had to allow httpd to write to certain ReviewBoard directories so I needed to change the selinux context for those directories: chcon -t httpd_sys_rw_content_t /var/www/reviewboard/data/ chcon -t httpd_sys_rw_content_t
Re: se linux blocking review board
On 08/21/2014 05:12 PM, Matthew Woehlke wrote: On 2014-08-21 16:53, Tyler Mace wrote: I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. This is similar to my setup, which is working, and *does* have SELinux in 'enforcing' mode. It was necessary for me to create some additional rules, however. Unfortunately, while I still have those rules installed, I don't have the files from which they were created, which as I understand are necessary to create them on other systems (or e.g. bundle with the .rpm). If you're willing to help work through these issues in order to get it working on your machine, and then contribute back the necessary files so that the rules can be set up automatically with the .rpm, I'm sure that would be greatly appreciated. You might also want to look at the audit2why and audit2allow commands. If you get it working, please don't make the mistake I made and delete the rule input files :-), but contribute them back. Stephen Gallagher (who usually reads this list, and is the Fedora packager for RB) may also be able to help out. However he seems to have a somewhat erratic schedule, so don't panic if he doesn't jump in right away. Erratic doesn't begin to describe it :) So, I've been meaning for about a year now to try to deal with the SELinux situation. The problem is this: I can't make a general set of SELinux policies work because Review Board sites don't have a fixed location on disk (you can install a site to any path). I've been meaning for a long time now to work on adding semanage support into the actual 'rb-site install' command so that we can assign the appropriate SELinux contexts to the installed site, but I haven't been able to find the time to do so. -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: se linux blocking review board
On 08/22/2014 07:04 AM, Cian Mc Govern wrote: To the professionals who work with Review Board I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. Here are the audit logs associated with accessing review board. Note there's more than just httpd in this mix, but also memcached. What access rights am I missing? type=AVC msg=audit(1408653306.680:2131): avc: denied { name_connect } for pid=17402 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1408653306.680:2131): arch=c03e syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10 a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.680:2131): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2132): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2132): arch=c03e syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2132): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2133): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2133): arch=c03e syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2133): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2134): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2134): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2134): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2135): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2135): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2135): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com mailto:reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. Here's a couple of selinux changes I had to make to run ReviewBoard
Re: se linux blocking review board
On 22 August 2014 13:50, Stephen Gallagher step...@gallagherhome.com wrote: On 08/22/2014 07:04 AM, Cian Mc Govern wrote: To the professionals who work with Review Board I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. Here are the audit logs associated with accessing review board. Note there's more than just httpd in this mix, but also memcached. What access rights am I missing? type=AVC msg=audit(1408653306.680:2131): avc: denied { name_connect } for pid=17402 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1408653306.680:2131): arch=c03e syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10 a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.680:2131): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2132): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2132): arch=c03e syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2132): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2133): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2133): arch=c03e syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2133): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2134): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2134): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2134): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2135): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2135): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2135): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com
Re: se linux blocking review board
I am attaching the result of audit2why.txt. This is great stuff, and clarifies potential solutions. Phew! But doing this on the .rpm or on the installer would be way more helpful. Users like me have no knowledge of audit2why or audit2allow. -Tyler On Thursday, August 21, 2014 5:12:06 PM UTC-4, Matthew Woehlke wrote: On 2014-08-21 16:53, Tyler Mace wrote: I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. This is similar to my setup, which is working, and *does* have SELinux in 'enforcing' mode. It was necessary for me to create some additional rules, however. Unfortunately, while I still have those rules installed, I don't have the files from which they were created, which as I understand are necessary to create them on other systems (or e.g. bundle with the .rpm). If you're willing to help work through these issues in order to get it working on your machine, and then contribute back the necessary files so that the rules can be set up automatically with the .rpm, I'm sure that would be greatly appreciated. You might also want to look at the audit2why and audit2allow commands. If you get it working, please don't make the mistake I made and delete the rule input files :-), but contribute them back. Stephen Gallagher (who usually reads this list, and is the Fedora packager for RB) may also be able to help out. However he seems to have a somewhat erratic schedule, so don't panic if he doesn't jump in right away. -- Matthew -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout. type=AVC msg=audit(1408653306.680:2131): avc: denied { name_connect } for pid=17402 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket Was caused by: One of the following booleans was set incorrectly. Description: Allow httpd to act as a relay Allow access by executing: # setsebool -P httpd_can_network_relay 1 Description: Allow httpd to connect to memcache server Allow access by executing: # setsebool -P httpd_can_network_memcache 1 Description: Allow HTTPD scripts and modules to connect to the network using TCP. Allow access by executing: # setsebool -P httpd_can_network_connect 1 type=AVC msg=audit(1408653306.803:2132): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir Was caused by: The boolean httpd_unified was set incorrectly. Description: Unify HTTPD handling of all content files. Allow access by executing: # setsebool -P httpd_unified 1 type=AVC msg=audit(1408653306.803:2133): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir Was caused by: The boolean httpd_unified was set incorrectly. Description: Unify HTTPD handling of all content files. Allow access by executing: # setsebool -P httpd_unified 1 type=AVC msg=audit(1408653306.803:2134): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir Was caused by: The boolean httpd_unified was set incorrectly. Description: Unify HTTPD handling of all content files. Allow access by executing: # setsebool -P httpd_unified 1 type=AVC msg=audit(1408653306.803:2135): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir Was caused by: The boolean httpd_unified was set incorrectly. Description: Unify HTTPD handling of all content files. Allow access by executing: # setsebool -P httpd_unified 1
se linux blocking review board
To the professionals who work with Review Board I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. Here are the audit logs associated with accessing review board. Note there's more than just httpd in this mix, but also memcached. What access rights am I missing? type=AVC msg=audit(1408653306.680:2131): avc: denied { name_connect } for pid=17402 comm=httpd dest=11211 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1408653306.680:2131): arch=c03e syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10 a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.680:2131): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2132): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2132): arch=c03e syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2132): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2133): avc: denied { write } for pid=17402 comm=httpd name=data dev=dm-8 ino=260102 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2133): arch=c03e syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2133): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2134): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2134): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2134): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 type=AVC msg=audit(1408653306.803:2135): avc: denied { write } for pid=17402 comm=httpd name=ext dev=dm-8 ino=260116 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir type=SYSCALL msg=audit(1408653306.803:2135): arch=c03e syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88 a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1408653306.803:2135): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: se linux blocking review board
On 2014-08-21 16:53, Tyler Mace wrote: I'm eager to get started with Review Board, but it's not working out of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd 2.4.10. I can only work ReviewBoard if I turn off selinux, i.e. setenforce off. We cannot do this on production. This is similar to my setup, which is working, and *does* have SELinux in 'enforcing' mode. It was necessary for me to create some additional rules, however. Unfortunately, while I still have those rules installed, I don't have the files from which they were created, which as I understand are necessary to create them on other systems (or e.g. bundle with the .rpm). If you're willing to help work through these issues in order to get it working on your machine, and then contribute back the necessary files so that the rules can be set up automatically with the .rpm, I'm sure that would be greatly appreciated. You might also want to look at the audit2why and audit2allow commands. If you get it working, please don't make the mistake I made and delete the rule input files :-), but contribute them back. Stephen Gallagher (who usually reads this list, and is the Fedora packager for RB) may also be able to help out. However he seems to have a somewhat erratic schedule, so don't panic if he doesn't jump in right away. -- Matthew -- Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/ --- Sign up for Review Board hosting at RBCommons: https://rbcommons.com/ --- Happy user? Let us know at http://www.reviewboard.org/users/ --- You received this message because you are subscribed to the Google Groups reviewboard group. To unsubscribe from this group and stop receiving emails from it, send an email to reviewboard+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.