From 27be72a637264ef3e52f0c2fc19390ced27e7494 Mon Sep 17 00:00:00 2001 From: Tomas Kopecek Date: Jul 01 2020 09:39:12 +0000 Subject: PR#2350: doc: improve hub selinux instructions Merges #2350 https://pagure.io/koji/pull-request/2350 --- diff --git a/docs/source/server_howto.rst b/docs/source/server_howto.rst index 52093e3..6d6b95d 100644 --- a/docs/source/server_howto.rst +++ b/docs/source/server_howto.rst @@ -760,6 +760,12 @@ variables. Do not set ``DBHost`` to ``localhost``, or else PostgreSQL will attempt to connect with TCP through ``127.0.0.1`` instead of using the Unix socket. +If koji-hub is running on a separate server from PostgreSQL, you must set the +``DBHost`` and ``DBPass`` options. You must also configure SELinux to allow +Apache to connect to the remote PostgreSQL server:: + + root@localhost$ setsebool -P httpd_can_network_connect_db=1 + Authentication Configuration ---------------------------- @@ -823,21 +829,16 @@ needed. SELinux Configuration ^^^^^^^^^^^^^^^^^^^^^ -If running in Enforcing mode - * you will need to allow apache to connect to the postgreSQL server - * you will need to allow apache to write some files to disk +Configure SELinux to allow Apache write access to ``/mnt/koji``:: -Even if you are not currently running in Enforcing mode, it is still -recommended to configure the SELinux settings so that there are no future -issues with SELinux if Enforcing mode is enabled later on. - -:: + root@localhost$ setsebool -P allow_httpd_anon_write=1 + root@localhost$ semanage fcontext -a -t public_content_rw_t "/mnt/koji(/.*)?" + root@localhost$ restorecon -r -v /mnt/koji - root@localhost$ setsebool -P httpd_can_network_connect_db=1 allow_httpd_anon_write=1 - root@localhost$ chcon -R -t public_content_rw_t /mnt/koji/* +If you've placed ``/mnt/koji`` on an NFS share, enable a separate boolean to +allow Apache access to NFS:: -If you've placed ``/mnt/koji`` on an NFS share you may also need to set -``httpd_use_nfs``. + root@localhost$ setsebool -P httpd_use_nfs=1 Check Your Configuration ^^^^^^^^^^^^^^^^^^^^^^^^