Re: se linux blocking review board

[Cian Mc Govern]

On 22 August 2014 13:50, Stephen Gallagher <step...@gallagherhome.com>
wrote:

> On 08/22/2014 07:04 AM, Cian Mc Govern wrote:
> >
> >     To the professionals who work with Review Board
> >
> >     I'm eager to get started with Review Board, but it's not working out
> >     of the box. I have Fedora 20 installed, with RB 1.7.26 with httpd
> >     2.4.10.
> >
> >     I can only work ReviewBoard if I turn off selinux, i.e. "setenforce
> >     off." We cannot do this on production.
> >
> >     Here are the audit logs associated with accessing review board. Note
> >     there's more than just httpd in this mix, but also memcached. What
> >     access rights am I missing?
> >
> >     type=AVC msg=audit(1408653306.680:2131): avc:  denied  {
> >     name_connect } for  pid=17402 comm="httpd" dest=11211
> >     scontext=system_u:system_r:httpd_t:s0
> >     tcontext=system_u:object_r:memcache_port_t:s0 tclass=tcp_socket
> >     type=SYSCALL msg=audit(1408653306.680:2131): arch=c000003e
> >     syscall=42 success=no exit=-13 a0=e a1=7fffbe2e0db0 a2=10
> >     a3=7f80d17c79c8 items=0 ppid=17356 pid=17402 auid=4294967295
> >     uid=1152 gid=100 euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100
> >     fsgid=100 tty=(none) ses=4294967295 comm="httpd"
> >     exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
> >     type=PROCTITLE msg=audit(1408653306.680:2131):
> >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
> >     type=AVC msg=audit(1408653306.803:2132): avc:  denied  { write }
> >     for  pid=17402 comm="httpd" name="data" dev="dm-8" ino=260102
> >     scontext=system_u:system_r:httpd_t:s0
> >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> >     type=SYSCALL msg=audit(1408653306.803:2132): arch=c000003e
> >     syscall=21 success=no exit=-13 a0=7f80d63eb990 a1=2 a2=7f80c6223f88
> >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
> >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
> >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> >     subj=system_u:system_r:httpd_t:s0 key=(null)
> >     type=PROCTITLE msg=audit(1408653306.803:2132):
> >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
> >     type=AVC msg=audit(1408653306.803:2133): avc:  denied  { write }
> >     for  pid=17402 comm="httpd" name="data" dev="dm-8" ino=260102
> >     scontext=system_u:system_r:httpd_t:s0
> >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> >     type=SYSCALL msg=audit(1408653306.803:2133): arch=c000003e
> >     syscall=21 success=no exit=-13 a0=7f80d65442c0 a1=2 a2=7f80c6223f88
> >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
> >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
> >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> >     subj=system_u:system_r:httpd_t:s0 key=(null)
> >     type=PROCTITLE msg=audit(1408653306.803:2133):
> >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
> >     type=AVC msg=audit(1408653306.803:2134): avc:  denied  { write }
> >     for  pid=17402 comm="httpd" name="ext" dev="dm-8" ino=260116
> >     scontext=system_u:system_r:httpd_t:s0
> >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> >     type=SYSCALL msg=audit(1408653306.803:2134): arch=c000003e
> >     syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88
> >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
> >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
> >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> >     subj=system_u:system_r:httpd_t:s0 key=(null)
> >     type=PROCTITLE msg=audit(1408653306.803:2134):
> >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
> >     type=AVC msg=audit(1408653306.803:2135): avc:  denied  { write }
> >     for  pid=17402 comm="httpd" name="ext" dev="dm-8" ino=260116
> >     scontext=system_u:system_r:httpd_t:s0
> >     tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
> >     type=SYSCALL msg=audit(1408653306.803:2135): arch=c000003e
> >     syscall=21 success=no exit=-13 a0=7f80d5c39120 a1=2 a2=7f80c6223f88
> >     a3=0 items=0 ppid=17356 pid=17402 auid=4294967295 uid=1152 gid=100
> >     euid=1152 suid=1152 fsuid=1152 egid=100 sgid=100 fsgid=100
> >     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> >     subj=system_u:system_r:httpd_t:s0 key=(null)
> >     type=PROCTITLE msg=audit(1408653306.803:2135):
> >     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
> >
> >     --
> >     Get the Review Board Power Pack at
> http://www.reviewboard.org/powerpack/
> >     ---
> >     Sign up for Review Board hosting at RBCommons:
> https://rbcommons.com/
> >     ---
> >     Happy user? Let us know at http://www.reviewboard.org/users/
> >     ---
> >     You received this message because you are subscribed to the Google
> >     Groups "reviewboard" group.
> >     To unsubscribe from this group and stop receiving emails from it,
> >     send an email to reviewboard+unsubscr...@googlegroups.com
> >     <mailto:reviewboard+unsubscr...@googlegroups.com>.
> >     For more options, visit https://groups.google.com/d/optout.
> >
> >
> > Here's a couple of selinux changes I had to make to run ReviewBoard on a
> > Fedora system with selinux enabled:
> >
> > "setsebool -P httpd_can_network_connect 1" -> This will fix the denial
> > "name_connect" in your audit logs which is preventing httpd from
> > communicating with memcached.
> >
> > I had to allow httpd to write to certain ReviewBoard directories so I
> > needed to change the selinux context for those directories:
> >
> > "chcon -t httpd_sys_rw_content_t /var/www/reviewboard/data/"
> > "chcon -t httpd_sys_rw_content_t /var/www/reviewboard/htdocs/media/ext"
> > "chcon -t httpd_sys_rw_content_t /var/www/reviewboard/htdocs/static/ext"
> >
> > Also, for email notification to work, I needed to run the following to
> > allow httpd to send emails:
> >
> > "setsebool -P httpd_can_sendmail on"
> >
>
> Just the context for those directories, or the recursive set?
>
> --
> Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
> ---
> Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
> ---
> Happy user? Let us know at http://www.reviewboard.org/users/
> ---
> You received this message because you are subscribed to the Google Groups
> "reviewboard" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to reviewboard+unsubscr...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

Just those in my case. I also needed to run 'restorecon -rv' on the
'/var/www/reviewboard' directory to ensure that the correct contexts were
set for httpd read access.

-- 
Get the Review Board Power Pack at http://www.reviewboard.org/powerpack/
---
Sign up for Review Board hosting at RBCommons: https://rbcommons.com/
---
Happy user? Let us know at http://www.reviewboard.org/users/
--- 
You received this message because you are subscribed to the Google Groups 
"reviewboard" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to reviewboard+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.