Hello,
On my newly installed indico 2.2.7 I cannot access the drop-down menus on the page.
The indico.log has the following error:
2020-04-01 11:04:30,694 ERROR 2ee47a3a36dd4669 indico.flask Uncaught Exception
Traceback (most recent call last):
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
rv = self.dispatch_request()
File "/opt/indico/.venv/lib/python2.7/site-packages/flask/app.py", line 1935, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/opt/indico/.venv/lib/python2.7/site-packages/indico/web/assets/blueprint.py", line 62, in js_vars_global
with open(cache_file, 'wb') as f:
IOError: [Errno 13] Permission denied: u'/opt/indico/cache/assets_global_2.2.7_2592361574.js'
I think that this has to do with SELinux. How do I setup SELinux to allow write access to /opt/indico/cache?
Thank you
Penelope
I resolved the issue by following the instruction from:
Perhaps, the instruction on SELinux at: https://docs.getindico.io/en/latest/installation/production/centos/apache/, could be augmented to include these two directories too
/opt/indico/cache
/opt/indico/tmp
As we are setting up our production server, we are having some trouble with the SELinux setup when we follow the instruction from: https://indico.readthedocs.io/en/latest/installation/production/centos/apache/
In particular, we are not able to make the (type indico_log_t) to work properly as the file type of the /opt/indico/log directory. If we make the file type for this directory httpd_log_t then everything works fine.
My question is: can indico_log_t be replaced by httpd_log_t or is it required by indico’s functionality?
best to try it out - that’s how I created the original selinux policy in the docs
We’ll try and see why we cannot make work.
hi guys,
yesterday i did re-run
mkdir ~/log/apache
chmod go-rwx ~/* ~/.[^.]*
chmod 710 ~/ ~/archive ~/cache ~/log ~/tmp
chmod 750 ~/web ~/.venv
chmod g+w ~/log/apache
restorecon -R ~/
echo -e "\nSTATIC_FILE_METHOD = 'xsendfile'" >> ~/etc/indico.conf
to create the apache log files which i missed during my installation process.
Now i am getting Permission denied messages all over my apache error log.
Tried changing selinux context from httpd_sys_rw_content_t to lib_t error still persists. What would be the right context to fix it? or permissions?
Apache log :
(13)Permission denied: [:4032] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/common.e3dd657d.css,
(13)Permission denied: [:4033] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/js/common.5bc73c7e.bundle.js,
(13)Permission denied: [:4031] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/semantic-ui.02682f3b.css,
(13)Permission denied: [:4029] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/main.28a4142a.css,
(13)Permission denied: [:4028] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/react.acbe563c.css,
(13)Permission denied: [:4030] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/jquery.fa4a03eb.css,
(13)Permission denied: [:4032] xsendfile: cannot open file: /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/outdatedbrowser.b43fe041.css,
i checked the permissions with ls -Z /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/
drwxr-xr-x. indico apache unconfined_u:object_r:lib_t:s0 css
drwxr-xr-x. indico apache unconfined_u:object_r:lib_t:s0 dist
-rw-r--r--. indico apache unconfined_u:object_r:lib_t:s0 export-reversed.xsl
-rw-r--r--. indico apache unconfined_u:object_r:lib_t:s0 export.xsl
drwxr-xr-x. indico apache unconfined_u:object_r:lib_t:s0 fonts
drwxr-xr-x. indico apache unconfined_u:object_r:lib_t:s0 images
-rw-r--r--. indico apache unconfined_u:object_r:lib_t:s0 robots.txt
ls -Z /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/js/
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard.381deb57.bundle.js
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard.381deb57.bundle.js.map
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard_inline_minutes.718b6019.bundle.js
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard_inline_minutes.718b6019.bundle.js.map
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard_inline_minutes.print.fbf8e908.bundle.js
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard_inline_minutes.print.fbf8e908.bundle.js.map
-rw-r--r--. indico apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 themes_standard.print.3c299c7c.bundle.js
thanks
Those contexts should be fine, so I’m afraid I don’t know what the problem is… Check your selinux audit log if there are any more specific errors on why it fails.
I found the reason it was due to
STATIC_FILE_METHOD = 'xsendfile'
in the config file. I commented it out now system is back to normal
Removing that isn’t particularly good for performance though, since it will force Indico to send all the files itself instead of letting the webserver serve them.
Does location of this setting inside the config file matter? it is right in the end of the file. Should I place it at the beginning?
Doesn’t matter at all. Maybe check if there are any regular (maybe not even SELinux-related) permission issues that would prevent the apache processes from accessing those files…
file has chmod 644
-rw-r--r--. indico apache unconfined_u:object_r:lib_t:s0 /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/main.28a4142a.css
You need to check all parent path segments as well… Also check the gid of the user the apache processes are running as (if it’s actually apache).
all folders are 755 and files are 644 except below highlighted 2 folders
[root@localhost ~]# ls -la /opt/indico/.venv/lib/
total 4
drwxr-xr-x. 3 indico apache 23 Mar 4 17:02 .
**drwxr-x---. 6 indico apache 95 Mar 15 23:03 ..**
drwxr-xr-x. 4 indico apache 4096 Mar 4 17:03 python2.7
[root@localhost ~]# ls -la /opt/indico/.venv/
total 8
drwxr-x---. 6 indico apache 95 Mar 15 23:03 .
**drwx------. 12 indico apache 237 Mar 16 14:07 ..**
drwxr-xr-x. 2 indico apache 4096 Mar 5 12:01 bin
drwxr-xr-x. 2 indico apache 23 Mar 4 17:02 include
drwxr-xr-x. 3 indico apache 23 Mar 4 17:02 lib
lrwxrwxrwx. 1 indico apache 3 Mar 4 17:02 lib64 -> lib
-rw-r--r--. 1 indico apache 61 Mar 15 23:03 pip-selfcheck.json
drwxr-xr-x. 3 indico apache 17 Mar 4 17:04 share
[root@localhost ~]# ls -la /opt/indico/
total 20
drwx------. 12 indico apache 237 Mar 16 14:07 .
drwxr-xr-x. 6 root root 57 Mar 5 12:11 ..
drwx------. 3 indico apache 19 Mar 5 15:26 archive
-rw-------. 1 indico apache 664 Mar 16 17:06 .bash_history
-rw-------. 1 indico apache 18 Apr 1 2020 .bash_logout
-rw-------. 1 indico apache 193 Apr 1 2020 .bash_profile
-rw-------. 1 indico apache 231 Apr 1 2020 .bashrc
drwx------. 2 indico apache 4096 Mar 16 18:15 cache
drwx------. 3 indico apache 17 Mar 4 17:03 .cache
drwx------. 2 indico apache 45 Mar 16 18:26 etc
lrwxrwxrwx. 1 indico apache 27 Mar 5 12:03 .indico.conf -> /opt/indico/etc/indico.conf
drwxr-xr-x. 5 indico apache 67 Mar 16 14:07 .ipython
drwx------. 3 indico apache 73 Mar 15 21:35 log
drwxrwxrwx. 4 indico apache 30 Mar 11 13:16 openscience
drwx------. 2 indico apache 33 Mar 5 12:05 tmp
drwxr-x---. 6 indico apache 95 Mar 15 23:03 .venv
drwxr-x---. 2 indico apache 63 Mar 16 18:32 web
There we go. chmod g+x ~/.venv should fix it.
still the same. restarted but did not help too kk
Try using sudo -u apache ls -ld /opt/indico/.venv/lib/python2.7/site-packages/indico/web/static/dist/css/main.28a4142a.css and then remove segments from the end of the path until you find out where the apache user no longer has access.