Gergely Polonkai

Installing OTRS in Fedora 18 with SELinux enabled

05-06-2013 :: 08:01 by Gergely Polonkai

I've read somewhere in an OTRS installation howto that if you want to install OTRS, you will have to disable SELinux. Well, I just won't. During the last few months, I have been using Fedora 18 with SELinux on all of my desktop machines and on my notebook, and I had no problems at all (well, no unsolveable problems, actually). Meanwhile I got familiar with SELinux itself, and got used to solving problems caused by it. So I started tail -f /var/log/httpd/error_log in one terminal (to see if something Apache related thing appears), tail -f /var/log/audit/audit.log in another (to see errors caused by SELinux), opened the admin manual at the installation chapter, took a deep breath, and went on.

Throughout this article, I will refer to OTRS 3.2.6 as OTRS and Fedora 18 (with only "stock" repositories) as Fedora. I assume that you have already installed OTRS in a non-SELinux environment before, and that you have at least some basic knowledge about SELinux, MAC, RBAC, and all the like. I'm installing OTRS in /opt/otrs, so if you install it somewhere else, you will have to modify the paths below (and in many hard-coded places in OTRS itself). Also, if you happen to install under /var/www (I wouldn't recommend that), that directory already has the httpd_sys_content_t type, so you won't have to set it explicitly.

As the first step I have unpacked the archive to /opt/otrs. This directory is the OTRS default, many config files have it hardcoded, and changing it is no easy task.

Running otrs.CheckModules.pl gave me a list of missing perl modules. Red Hat and Fedora makes it easy to install these, as you don't have to know the RPM package name, just the perl module name:

yum install 'perl(Crypt::SSLeay)' 'perl(DBD::Pg)' 'perl(GD)' 'perl(JSON::XS)' 'perl(GD::Text)' 'perl(GD::Graph)' 'perl(Mail::IMAPClient)' 'perl(Net::DNS)' 'perl(PDF::API2)' 'perl(Text::CSV_XS)' 'perl(YAML::XS)'

I also needed to install mod_perl. Although otrs.CheckModules.pl didn't mention it, the default settings use syslog as the logging module, so unless you change it in Config.pm, you will also need to install 'perl(Sys::Syslog)', either.

By default SELinux doesn't permit any network connection to be initiated by Apache. As OTRS needs to connect to its database, you will have to enable it. In older distributions, the httpd_can_network_connect was the SELinux bool for this, but recent installations also have a httpd_can_network_connect_db flag. As far as I know, this enables all network connections to the well-known database servers' default port, but I will have to check for it. For me, with a MySQL listening on its standard port, the setsebool httpd_can_network_connect_db=1 just did it.

With SELinux enabled, Apache won't be able to read anything that's not under the httpd_sys_content_t type, nor write anywhere without the httpd_sys_rw_content_t type. The trivial, quick and dirty solution is to label all the files as httpd_sys_rw_content_t, and let everything go. However, the goal of SELinux is just the opposite of this: grant access only to what is really needed. After many trial-and-error steps, it finally turned out that for OTRS to work correctly, you must set httpd_sys_content_t on /opt/otrs/var/httpd/htdocs, httpd_script_exec_t on /opt/otrs/bin/cgi-bin, and httpd_sys_rw_content_t in /opt/otrs/Kernel, /opt/otrs/var/sessions, /opt/otrs/var/log (unless you use syslog for logging), /opt/otrs/var/packages (this is used only when you download an .opm package), /opt/otrs/var/stats, /opt/otrs/var/tmp and /opt/otrs/bin (I wonder why the latter is required, though). To do this, use the following command:

# semanage fcontext -a -t <httpd_* type name> '<path regular expression>'

Where <path regular expression> is something like /opt/otrs/Kernel(/.*)?

The last thing I faced is that Fedora is more restrictive on reading directories other than /var/www. It has a Require all denied on <Directory />, and a Require all granted on <Directory /var/www>, so opening any of OTRS' files will result in a 403 Forbidden (error_log says "client denied by server configuration") error. To get rid of this, I had to modify scripts/apache2-httpd.include.conf and add Require all granted to both the cgi-bin and htdocs <Directory> entries.

As I will have to use OTRS in a production environment soon with SELinux enabled, it is more than sure that this list will change in the near future. As there are no official documentation on this (I haven't find one yet, although the question is raised several times), I have to do it with the trial-and-error way, so be patient!

Tags: Apache SELinux OTRS

Renaming a Symfony 2 bundle

04-10-2013 :: 00:29 by Gergely Polonkai

Today I've realised that the name I gave to one of my Symfony 2 bundles should be something else. To rename a bundle, one must do four things (at least).

1. Change the namespace from Vendor\OldBundle to Vendor\NewBundle in every PHP class (sounds like pain? It is...)
2. Change the name of files and classes. Some files under src/Vendor/OldBundle (and the classes in them) contain the name of the bundle, like OldBundle/DependencyInjection/VendorOldBundleExtension.php and OldBundle/VendorOldBundle.php. You should rename them, or Symfony won't find the classes defined in them! When done, rename the whole bundle directory either.
3. Change the configuration files accordingly, including AppKernel.php. These config files are usually routing.yml, services.yml, and in some cases, config.yml
4. Change the references in other parts of your code. A grep OldBundle . will usually help...

Tags: Symfony Development

Dvorak and me

03-13-2013 :: 23:20 by Gergely Polonkai

A few months ago I have decided to switch to the dvorak layout. After using QWERTY (well, QWERTZ, to be precise), it was a hard decision, but now I think it worthed the try. I started with UK (Dvorak with UK punctuation), and in about four weeks, I've almost reached my original typing speed. Today I have modified the hungarian xkb definitions file to add the hungarian accended letters like ű to the layout, so I don't have to use dead keys anymore (which apparently turned out to be a problem, as the Linux version of Java doesn't support dead keys at all).

Best thing is, as I never learned proper 10-finger typing, but learned Dvorak that way, I can switch between QWERTY and Dvorak more or less painlessly (about 10 minutes of confusion, so to say).

Conclusion: I don't know yet if this was actually a good decision, but it wasn't bad, after all. But seeing people's faces when they try to type on my machine totally worths it.

Tags: Linux

Haversine in MySQL

03-05-2013 :: 14:49 by Gergely Polonkai

DELIMITER $$
 
CREATE FUNCTION `haversine` (lng1 FLOAT, lat1 FLOAT, lng2 FLOAT, lat2 FLOAT)
RETURNS FLOAT NO SQL DETERMINISTIC
BEGIN
    SET @a = ABS(POWER(SIN(RADIANS(lat1 - lat2)) / 2, 2) + COS(RADIANS(lat1)) * COS(RADIANS(lat2)) * POWER(SIN(RADIANS(lng1 - lng2)) / 2, 2));
    RETURN 12756.200 * ATAN2(SQRT(@a), SQRT(1 - @a));
END$$

Just insert it in your database, feed them two Google coordinates, and you get the distance in kilometres. If you happen to need it in miles, change the constant at the RETURN row to 7922.6 instead.