Bug 219972 (poker-network)
Summary: | Review Request: poker-network - A poker server, client and abstract user interface library | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Christopher Stone <chris.stone> | ||||||||||||
Component: | Package Review | Assignee: | Wart <wart> | ||||||||||||
Status: | CLOSED NEXTRELEASE | QA Contact: | Fedora Package Reviews List <fedora-package-review> | ||||||||||||
Severity: | medium | Docs Contact: | |||||||||||||
Priority: | medium | ||||||||||||||
Version: | rawhide | CC: | jspaleta, paul | ||||||||||||
Target Milestone: | --- | Flags: | wtogami:
fedora-cvs+
|
||||||||||||
Target Release: | --- | ||||||||||||||
Hardware: | All | ||||||||||||||
OS: | Linux | ||||||||||||||
Whiteboard: | |||||||||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||||||||
Doc Text: | Story Points: | --- | |||||||||||||
Clone Of: | Environment: | ||||||||||||||
Last Closed: | 2007-02-20 03:06:03 UTC | Type: | --- | ||||||||||||
Regression: | --- | Mount Type: | --- | ||||||||||||
Documentation: | --- | CRM: | |||||||||||||
Verified Versions: | Category: | --- | |||||||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||
Embargoed: | |||||||||||||||
Bug Depends On: | 171543, 208169, 216105 | ||||||||||||||
Bug Blocks: | 163779, 222612 | ||||||||||||||
Attachments: |
|
Description
Christopher Stone
2006-12-17 23:53:24 UTC
I read http://fedoraproject.org/wiki/PackagingDrafts/SELinux and the problem is that I do not run selinux myself, so I do not know what (if anything) is required to run this with selinux. Should I remove the selinux stuff from the init script? Yes, just turn it off for now until the selinux bits are ready, otherwise the semange bits in the init script will generate an error. (In reply to comment #1) > I read http://fedoraproject.org/wiki/PackagingDrafts/SELinux and the problem is > that I do not run selinux myself, so I do not know what (if anything) is > required to run this with selinux. > > Should I remove the selinux stuff from the init script? IMHO yes. In the absence of an SELinux policy for the server, it will run "unconfined" by SELinux, and there will be no definition of the type pokerserver_port_t, so the semanage call to assign that type to a specific port number won't work. Someone would have to write a policy for the server to make any of that worthwhile. Which is pretty much what Wart said, only he said it quicker than me :-) Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-1.src.rpm %changelog * Mon Dec 18 2006 Christopher Stone <chris.stone> 1.0.32-2 - Remove semanage call in init file until an selinux policy is written - Add comment to %%check section indicating that it is not functional - Update TODO comments oops, SRPM URL for comment #4 should be: SRPM: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-2.src.rpm Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-3.src.rpm %changelog * Fri Dec 29 2006 Christopher Stone <chris.stone> 1.0.32-3 - Update BR/R to new python-twisted stack builds in mock in fc6 and devel on x86. I'm going through this now, doing a detailed review. PROBLEM #1: poker2d desktopfile has the EXEC in the wrong location. should be EXEC=%{_exec_prefix}/games/poker2d because %{_exec_prefix}/games/poker2d because /usr/games is not in the standard executable path. PROBLEM #2: On my fc-6 system gnome seems to be unable to recognize that poker2D.xpm is there. Even if I create a custom panel launcher and attemnpt to select the poker2D.xpm from the pixmap directory in the icon chooser interface, it throws an icon 'poker@D' not found error dialog. Do we have to do somethng silly and convert this to png? -jef opps the error reads poker2d, the @ was a typo on my part Clarifiation: Are we running counter to the python module naming scheme in the naming guidance? Shouldnt it be python-poker-network and python-poker-client-lib because these are primarily python modules which can be used to develop multiple applications? poker-bot poker-server poker-web and poker2d look fine to me as names because they are the application level items which sit on top of pokernetwork or poker-client-lib. Did this naming issue come up with poker-engine? I'm not convinced this is enough to block on, especially now that poker-engine is already in the tree. -jef PROBLEM #3: poker-network-devel needs to require pkgconfig MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for directory ownership and usability). Clarification: is %{_libdir}/%{name}/poker-interface a shared library? I don't think it is but I just want to be sure. poker2d appears to work. I haven't had a chance to test the server related subpackages. I'm not a kde user, so forgive me if I sound ignorant, but the payload for poker2d-kde looks very thin to me. Is the payload really only suppose to be: /usr/share/apps/khotkeys/poker2d.khotkeys /usr/share/doc/poker2d-kde-1.0.32 /usr/share/doc/poker2d-kde-1.0.32/COPYING -jef (In reply to comment #7) > builds in mock in fc6 and devel on x86. > I'm going through this now, doing a detailed review. > > PROBLEM #1: > poker2d desktopfile has the EXEC in the wrong location. > should be EXEC=%{_exec_prefix}/games/poker2d > because %{_exec_prefix}/games/poker2d Fixed this. > > because /usr/games is not in the standard executable path. > > PROBLEM #2: > On my fc-6 system gnome seems to be unable to recognize that poker2D.xpm is > there. Even if I create a custom panel launcher and attemnpt to select the > poker2D.xpm from the pixmap directory in the icon chooser interface, it throws > an icon 'poker@D' not found error dialog. Do we have to do somethng silly and > convert this to png? I asked in #fedora-packaging about icons placed in pixmap directory, and this is the reply: 15:27:20 XulChris | if upstream installs in icon in %{_datadir}/pixmaps/ should it be moved to %{_datadir}/icons/ instead and run gtk-update-icon-cache? 15:28:02 XulChris | or should it just be left in pixmaps/ w/o running gtk-update-icon-cache? 17:49:19 ---| User: *** rdieter_away is now known as rdieter1 18:05:45 rdieter1 | XulChris: imo, move it, yadda, and ping upstream to do the same. So perhaps moving the icon to the icons/ directory will fix it in GNOME? Not sure since I run KDE, I will try moving the icons in the spec let me know if it fixes it in GNOME. (In reply to comment #9) > Clarifiation: > > Are we running counter to the python module naming scheme in the naming guidance? > > Shouldnt it be python-poker-network and python-poker-client-lib because these > are primarily python modules which can be used to develop multiple applications? Let me get clarification on upstream with this. I think debian has the same policy, and upstream packages for debian so let me see what they say. I'll get back to you on this. (In reply to comment #10) > PROBLEM #3: poker-network-devel needs to require pkgconfig > > MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for > directory ownership and usability). Fixed. > > > Clarification: > is %{_libdir}/%{name}/poker-interface a shared library? I don't think it is but > I just want to be sure. > > I will ask upstream to make sure. Will get back to you on this item as well. (In reply to comment #11) > poker2d appears to work. I haven't had a chance to test the server related > subpackages. > > I'm not a kde user, so forgive me if I sound ignorant, but the payload for > poker2d-kde looks very thin to me. Is the payload really only suppose to be: > /usr/share/apps/khotkeys/poker2d.khotkeys > /usr/share/doc/poker2d-kde-1.0.32 > /usr/share/doc/poker2d-kde-1.0.32/COPYING This is done on purpose. Otherwise a user would have to install kdebase to pick up the /usr/share/apps/khotkeys/ directory when they install poker2d which is probably not what people want to do if they do not have KDE installed. Having a package with a single file in it I deemed a better alternative than requiring kdebase just to install poker2d, and poker2d does not need kdebase to run. So basically its just a directory ownership issue. (In reply to comment #14) > (In reply to comment #10) > > Clarification: > > is %{_libdir}/%{name}/poker-interface a shared library? I don't think it is but > > I just want to be sure. > > > > > > I will ask upstream to make sure. Will get back to you on this item as well. dachary | poker-interface is a shared library (really a python module but a shared library) (In reply to comment #16) > > dachary | poker-interface is a shared library (really a python module but a > shared library) Considering where it is placed on disk.. doesn't this mean you need to run ldconfig in the postinstall scriptlet? What is confusing is why its placed in /usr/lib/poker-network/poker-interface instead of under /usr/lib/python2.4/site-packages/pokerclient2d ? I don't think its really meant to be in the general ldconfig path. If its meant as a library to be used from python bindings only, its best to place it into the python module tree of interest. There are several examples of this sort of .so inclusion in the python module directory already in Fedora space, python-numeric being one specific case. And shouldn't the filename end with the .so extention for clarity? -jef pec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-3.src.rpm %changelog * Sun Dec 31 2006 Christopher Stone <chris.stone> 1.0.32-4 - Add full path to exec in desktop file - Add pkgconfig to devel subpackage - Convert icons to png format and store in icons directory - Update TODO Jef: Can you test the icons out on this release? Thx (In reply to comment #18) > pec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec > SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-3.src.rpm Ack, this is supposed to be: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-4.src.rpm I apologize, I am notoriously bad for copy&pasting without updating. Menu entry and menu icons appear to be working in this release. I think the only important thing left is the issue of whether /usr/lib/poker-network/poker-interface should be moved to /usr/lib/python2.4/site-packages/pokerclient2d and if it should be renamed to poker-interface.so for clarity. the python add-on package naming issue is less clear since there are already poker-whatever packages in the tree which you'd have to also rename to meet the python-whatever guidance. I'm not going to block on that since these poker-* packages make a consistent naming group. If someone else has a problem with it, you'll have to go into the tree later and rename and do some virtual providing. -jef Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-5.src.rpm %changelog * Tue Jan 02 2007 Christopher Stone <chris.stone> 1.0.32-5 - Move poker-interface to %%{python_sitearch}/pokerclient2d - Remove TODO comments Reblocking bug #171543 even though twisted-core and web are in FC6, it was agreed that we wait until all python-twisted packages are in FC6 before branching to provide the smothest upgrade path possible. Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-6.src.rpm %changelog * Fri Jan 05 2007 Christopher Stone <chris.stone> 1.0.32-6 - Replace pkgconfig with poker-eval-devel Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-7.src.rpm %changelog * Wed Jan 10 2007 Christohper Stone <chris.stone> 1.0.32-7 - Keep permssions 600 for poker.server.xml file Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-8.src.rpm %changelog * Wed Jan 10 2007 Christopher Stone <chris.stone> 1.0.32-8 - Move poker-interface to %%{_libexecdir} - Package poker-interface with poker-client-lib - Remove no longer needed shared lib patch Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-1.src.rpm %changelog * Thu Jan 11 2007 Christopher Stone <chris.stone> 1.0.33-1 - Upstream sync - Add %%find_lang for new locales Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-2.src.rpm %changelog * Sun Jan 14 2007 Christopher Stone <chris.stone> 1.0.33-2 - Split out poker-client-lib/poker2d files into another spec file - Add Requires apg and poker-web to poker-bot - No longer remove symlinks for constants.php and htaccess - Create a README.Fedora for poker-web package - Reduce initial number of bots to four due to a bug rpmlint errors: E: poker-network no-binary E: poker-network-debuginfo empty-debuginfo-package These are because poker2d is packaged with this upstream. This will be fixed when poker2d is out of alpha mode. E: poker-server non-readable /etc/poker-network/poker.server.xml 0600 This is because the mysql root password is in this file. E: poker-web htaccess-file /usr/share/poker-web/.htaccess I don't understand this error. (In reply to comment #27) > E: poker-web htaccess-file /usr/share/poker-web/.htaccess > > I don't understand this error. .htaccess files are frowned upon because the same effect can usually be achieved by adding an appropriate <Directory> clause in a .conf file dropped into /etc/httpd/conf.d. This then allows the use of "AllowOverride None" for that directory, meaning that httpd doesn't need to check for .htaccess files for every access, and is hence a performance benefit. http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-2.src.rpm this did not rebuild cleanly in mock either against fc6 nor development. snippet of build.log from fc6 build attempt: RPM build errors: File not found: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/usr/lib/p ython2.4/site-packages/pokernetwork File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u sr/lib/python2.4/site-packages/pokernetwork/__init__* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u sr/lib/python2.4/site-packages/pokernetwork/dispatch* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u sr/lib/python2.4/site-packages/pokernetwork/packets* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u sr/lib/python2.4/site-packages/pokernetwork/pokernetworkconfig* snippet of build.log from development build: RPM build errors: File not found: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/usr/lib/p ython2.5/site-packages/pokernetwork File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u sr/lib/python2.5/site-packages/pokernetwork/__init__* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u sr/lib/python2.5/site-packages/pokernetwork/dispatch* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u sr/lib/python2.5/site-packages/pokernetwork/packets* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u sr/lib/python2.5/site-packages/pokernetwork/pokernetworkconfig* File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u sr/lib/python2.5/site-packages/pokernetwork/pokerpackets* Ah, this is because your %{python_sitearch} is the same as your %{python_sitelib}. This should be fixed now. Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-3.src.rpm %changelog * Tue Jan 16 2007 Christopher Stone <chris.stone> 1.0.33-3 - Do not glob removal of files under %%{python_sitearch} - Change Requires from php to php-bcmath for poker-web Got some more clarification on requirements for poker-web package from upstream: Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-4.src.rpm %changelog * Tue Jan 16 2007 Christopher Stone <chris.stone> 1.0.33-4 - Add php-mysql and php-gd to Requires for poker-web poker-bot has 'Requires: poker-client-lib %{version}-%{release}'. poker-client-lib is provided by the poker2d package. This means that you will have to make sure to update both poker-network and poker2d and keep the release numbers consistent. It might be better to drop the %{release} from the Requires, if that's permissible. I also get a 404 error when I try to access the poker-web web interface. This was after moving the apache.conf from poker-web into the conf.d directory of apache and restarting apache. "The requested URL /cgi-bin/php/poker-web/index.php was not found on this server." Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-5.src.rpm %changelog * Fri Jan 19 2007 Christopher Stone <chris.stone> 1.0.33-5 - Remove webclient from poker-web Requires - Remove %%{release} from poker-client-lib Requires for poker-bot - Fix init scripts to work for different python releases - Remove redundant python-twisted-core from BuildRequires The poker-web interface should be accessable at: http://localhost/poker-web/ Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-6.src.rpm %changelog * Fri Jan 19 2007 Christopher Stone <chris.stone> 1.0.33-6 - Add php to poker-web Requires (php-mysql does not pull it in) - Add patch to fix --disable-poker2d config option - Use --disable-poker2d option to reduce manually removing some files Ooops and one last minute reupload fix: - Remove no longer needed BuildRequires for poker2d package Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-7.src.rpm %changelog * Sat Jan 20 2007 Christopher Stone <chris.stone> 1.0.33-7 - Create a httpd poker-web.conf file from the .htaccess file - Remove existing htaccess and apache.conf files - Add new apache conf to %%files in poker-web - Make symlink to constants.php relative Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-8.src.rpm %changelog * Sat Jan 20 2007 Christopher Stone <chris.stone> 1.0.33-8 - Readd poker-client-lib package to this spec file - Readd %%{release} to packages that require poker-client-lib - Remove manual removal of files since they are all in poker-client-lib - Update comments on rpmlint errors Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-9.src.rpm %changelog * Sat Jan 20 2007 Christopher Stone <chris.stone> 1.0.33-9 - Fix init scripts, PYTHON_SITELIB substituion macro got lost - Re-word poker-web README.Fedora file reflecting new changes I'm having trouble running the poker-server due to a bad mysql password. Here's what I've done: 1. On a fresh box, install Rawhide with the latest updates 2. Install mysql-server, as well as the poker-server dependencies 3. Leave the settings in /etc/poker-network/poker.server.xml as the defaults 3. 'service mysqld start' 5. 'service poker-server start' 6. Look in /var/log/poker-server.log Expected results: Some sort of 'poker server started' success message Observed results: The attached stack trace I tried using a shorter pokernetwork password in the mysql server, as well as an empty password, but I get the same results. I've also tried connecting to the mysql server as the pokernetwork user, using the password in poker.server.xml, but that fails as well. Created attachment 146068 [details]
service startup failure log
Created attachment 146073 [details]
updated init file
New init file that properly detects if poker-server is already running based on
the pid in the pidfile.
Two other issues that I've discovered while trying to run the server: - Attempting to create a new user account through the poker-web interface fails. The web interface returns a cryptic string "type = 121, code = 1, message =", and attempts to log in using the new account fail. - If selinux is enabled, then the web interface can't communicate with the poker-server backend. From the avc denial message, this appears to be because the web interface wants to establish a TCP connection to the poker server (port 19382), which is disallowed by the standard httpd policy. Jan 20 22:20:52 localhost kernel: audit(1169360452.415:4): avc: denied { name_connect } for pid=2460 comm="httpd" dest=19382 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket (In reply to comment #39) > I'm having trouble running the poker-server due to a bad mysql password. Here's > what I've done: > > 1. On a fresh box, install Rawhide with the latest updates > 2. Install mysql-server, as well as the poker-server dependencies > 3. Leave the settings in /etc/poker-network/poker.server.xml as the defaults > 3. 'service mysqld start' > 5. 'service poker-server start' > 6. Look in /var/log/poker-server.log > > Expected results: > > Some sort of 'poker server started' success message > > Observed results: > > The attached stack trace > > I tried using a shorter pokernetwork password in the mysql server, as well as an > empty password, but I get the same results. I've also tried connecting to the > mysql server as the pokernetwork user, using the password in poker.server.xml, > but that fails as well. Okay, after some digging the in mysql manual I found this: If you cannot figure out why you get Access denied, remove from the user table all entries that have Host values containing wildcards (entries that contain ‘%’ or ‘_’). A very common error is to insert a new entry with Host='%' and User='some_user', thinking that this allows you to specify localhost to connect from the same machine. The reason that this does not work is that the default privileges include an entry with Host='localhost' and User=''. Because that entry has a Host value 'localhost' that is more specific than '%', it is used in preference to the new entry when connecting from localhost! The correct procedure is to insert a second entry with Host='localhost' and User='some_user', or to delete the entry with Host='localhost' and User=''. After deleting the entry, remember to issue a FLUSH PRIVILEGES statement to reload the grant tables. So to fix this you have drop all anonymous users in the user table. I will talk to upstream about this and see what they suggest. Might be best to change the user creation code to use a Host of 'localhost' instead of '%'. Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-10.src.rpm %changelog * Sun Jan 21 2007 Christopher Stone <chris.stone> 1.0.33-10 - Add better pid file checking in init scripts - Add FLUSH PRIVILEDGES to poker-web README.Fedora - Add another CREATE USER statement to README.Fedora for localhost - Add patch to properly create users in pokerdatabase.py @wart: This version has a patch to create two user entries, one with a Host of '%' and a second with a host of 'localhost'. This should fix the localhost issues, please test. I've also updated the init scripts with your attached patch. (In reply to comment #42) > Two other issues that I've discovered while trying to run the server: > > - Attempting to create a new user account through the poker-web interface fails. > The web interface returns a cryptic string "type = 121, code = 1, message =", > and attempts to log in using the new account fail. I cannot reproduce this error here. Can you try again with the new -10 release package? And with selinux disabled? I'll show it to upstream and see if they have any ideas. > > - If selinux is enabled, then the web interface can't communicate with the > poker-server backend. From the avc denial message, this appears to be because > the web interface wants to establish a TCP connection to the poker server (port > 19382), which is disallowed by the standard httpd policy. > > Jan 20 22:20:52 localhost kernel: audit(1169360452.415:4): avc: denied { > name_connect } for pid=2460 comm="httpd" dest=19382 > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 > tclass=tcp_socket > From the poker-server README.Fedora file: poker-server uses the following IP ports: 19380 default 19381 is for SSL 19382 is for XMLRPC 18383 is for XMLRPC over SSL So, do we need to add selinux policy rules for these ports? In my initial release I had something in the init scripts which I copied from one of your packages, but it was insufficient because you need to make a policy file too which I do not know how to do. Should I try to contact so selinux guys to try and fix this for me? Created attachment 146095 [details]
error log from poker-bot
/var/log/poker-bot.log containing error messages after starting poker-bot.
(In reply to comment #45) > (In reply to comment #42) > > Two other issues that I've discovered while trying to run the server: > > > > - Attempting to create a new user account through the poker-web interface fails. > > The web interface returns a cryptic string "type = 121, code = 1, message =", > > and attempts to log in using the new account fail. > > I cannot reproduce this error here. Can you try again with the new -10 release > package? And with selinux disabled? I'll show it to upstream and see if they > have any ideas. Problem found: There is a minimum limit of 5 characters for usernames. This error should be reported more clearly in the web interface. > > - If selinux is enabled, then the web interface can't communicate with the > > poker-server backend. From the avc denial message, this appears to be because > > the web interface wants to establish a TCP connection to the poker server (port > > 19382), which is disallowed by the standard httpd policy. > > > > Jan 20 22:20:52 localhost kernel: audit(1169360452.415:4): avc: denied { > > name_connect } for pid=2460 comm="httpd" dest=19382 > > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 > > tclass=tcp_socket > > > > From the poker-server README.Fedora file: > > poker-server uses the following IP ports: > 19380 default > 19381 is for SSL > 19382 is for XMLRPC > 18383 is for XMLRPC over SSL > > So, do we need to add selinux policy rules for these ports? In my initial > release I had something in the init scripts which I copied from one of your > packages, but it was insufficient because you need to make a policy file too > which I do not know how to do. Should I try to contact so selinux guys to try > and fix this for me? I've passed this along to the fedora-selinux-list to ask for suggestions. GOOD ==== * rpmlint output: E: poker-network no-binary - poker-network is a library used by poker-server and others. The lack of a binary is not an error. E: poker-server non-readable /etc/poker-network/poker.server.xml 0600 - This file contains passwords for the server. It must have these permissions. E: poker-network-debuginfo empty-debuginfo-package - This should go away once the package becomes noarch (see MUSTFIX) * Source matches upstream 18538c17d8ab9796bd6cda846076a398c5f152a0 poker-network-1.0.33.tar.gz * package and spec file named appropriately * GPL license ok, license file included * spec file legible and in Am. English * Compiles and builds on FC6-i386, FC6-x86_64, FC7-i386, FC7-x86_64. Fails to build on FC-5 due to missing python-twisted-web * BR: look sane * File contents look ok * No locales (removed during install) * No static or shared libs * Not relocatable * Directory ownership ok * Duplicate license file in %files lists for subpackages, but I don't consider this a problem. * No need for -doc subpackage * %doc doesn't appear to be needed at runtime. * No .desktop file needed * Packages run on FC7-i386 (other platforms/arch not tested) MUSTFIX ======= * Upstream bug #1454 that will allow this to be a noarch package. * Create a 'poker' user for running the server for better security * /usr/share/doc/poker-network-1.0.33/NIHPHOBIA is cute, but not really necessary, is it? * Don't use %{version} in the patch filenames. The version in a patch filename is supposed to reflect the package version when the patch was first introduced, not the current package version. SHOULD ====== * Add selinux policies to poker-server for better security * Patch tests/Makefile.in and configure in poker-network-1.0.33-config.patch so that you don't have to call 'autoreconf' during %build. Hopefully upstream will adopt this patch in a new release so that it becomes a moot point. * Use %{_initrddir} instead of %{_sysconfdir}/init.d * Use double quotes around the sed regsub pattern to avoid potential problems if %{python_sitelib} were to ever contain a space. NOTES and Questions =================== * poker-network and poker2d (BZ #222612) use the same upstream source tarball, but different spec files. My understanding is that this is so that poker-network can be marked as 'noarch', while poker2d will contain arch-specific bits. As far as I am aware, there are no problems using the same source file for two different spec files, aside from duplication in the resulting srpm. * Why does the package contain a x509 certificate for 'webmaster@localhost'? One more SHOULD item: * Document the dependency of the currency type on the server url in poker.bot.xml. This seems to be a common source of confusion. I finally got selinux policies building in Rawhide again, and started looking at a policy for poker-server. In the init script, you invoke the service by invoking python with the script as an argument. In order to make selinux work with this, you should include a small wrapper script that does the same thing, and invoke this wrapper script from the init script. Something like: $ cat /usr/bin/poker-server #!/bin/sh /usr/bin/python /usr/bin/twistd --python /usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py ${0+$@} And then in the init script, invoke the script as: /usr/bin/poker-server \ --pidfile=${pidfile} \ --logfile=${logfile} --quiet ${opt_args} \ --reactor=${reactor} This will allow the wrapper script to be labelled as pokerd_exec_t, whereas in the current setup, python itself must be labelled as pokerd_exec_t in order to execute in the proper domain. Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.34-1.src.rpm %changelog * Wed Jan 24 2007 Christopher Stone <chris.stone> 1.0.34-1 - Upstream sync - Add a wrapper script for init files to help SElinux - invoke wrapper script using daemon --user=POKER_USER - add sed command to fill in POKER_USER in init files - remove old config patch which is fixed in this release - add new config patch to configure as noarch package - comment out make check in spec - Remove adduser call in %%pre and use userid of games instead * Mon Jan 22 2007 Christopher Stone <chris.stone> 1.0.33-11 - Remove poker-server and poker-web Requires from poker-bot - Remove NIHPHOBIA from %%doc - Remove %%{version} from patch names - Replace %%{_sysconfdir}/init.d with %%{_initrddir} - Document relation between currency and URL in poker-web/README.Fedora - Add a poker-bot/README.Fedora file for explaining cash-in URLs - Change permissions on poker.server.xml to readable - Add permission changing to instructions in poker-server/README.Fedora - Add creation of %%{poker_user} user id to run poker-server - Create a directory for poker-server log files - Add poker-server run and log directories to poker-server %%files - Change ownership of poker-server run/log directories to %%{poker_user} NOTE: service poker-server status does not work. No matter what I try. I think we have to write our own status function for this, what do you think? > MUSTFIX > ======= > * Upstream bug #1454 that will allow this to be a noarch package. Should be fixed. > * Create a 'poker' user for running the server for better security I used user "games" instead. > * /usr/share/doc/poker-network-1.0.33/NIHPHOBIA is cute, but not really > necessary, is it? Removed. > * Don't use %{version} in the patch filenames. The version in a patch > filename is supposed to reflect the package version when the patch > was first introduced, not the current package version. Fixed. > > SHOULD > ====== > * Add selinux policies to poker-server for better security Need help from you on this. > * Patch tests/Makefile.in and configure in poker-network-1.0.33-config.patch > so that you don't have to call 'autoreconf' during %build. Hopefully > upstream will adopt this patch in a new release so that it becomes a > moot point. They will, not sure it's worth the effort since the patch will be in the next release. > * Use %{_initrddir} instead of %{_sysconfdir}/init.d Done. > * Use double quotes around the sed regsub pattern to avoid potential > problems if %{python_sitelib} were to ever contain a space. There already are double quotes around this path in the init file. > > NOTES and Questions > =================== > * poker-network and poker2d (BZ #222612) use the same upstream source > tarball, but different spec files. My understanding is that this is > so that poker-network can be marked as 'noarch', while poker2d will contain > arch-specific bits. As far as I am aware, there are no problems > using the same source file for two different spec files, aside from > duplication in the resulting srpm. No, the packages are seperated because they need to use different %configure options. The fact that it allows us to make one package noarch is a beneficial side-effect. > * Why does the package contain a x509 certificate for 'webmaster@localhost'? > 09:38:57 XulChris | dachary: reviewer wants to know: "Why does the package contain a x509 certificate for 'webmaster@localhost'?" 09:38:57 dachary | :-) 09:39:12 dachary | for the SSL conx to the poker server 09:39:46 XulChris | dachary: i dont know anything about x509 certificates, but what if you dont have a webmaster user name or use "localhost"? 09:40:12 dachary | it's a self signed certificate 09:40:21 dachary | the email does not matter much 09:40:33 XulChris | so its nothing i have to generate at build time then? 09:40:41 dachary | it's a place holder that must be replaced if you're serious about security 09:40:47 dachary | no (In reply to comment #53) > > MUSTFIX > > * Create a 'poker' user for running the server for better security > > I used user "games" instead. Better to use a custom user account and not the overloaded 'games' account. This helps prevent a security breach from one game using the 'games' account from compromising other games using the 'games' account. This will require using 'useradd' in the %pre scriptlet. > > * Add selinux policies to poker-server for better security > > Need help from you on this. I'm working on it... > > * Use double quotes around the sed regsub pattern to avoid potential > > problems if %{python_sitelib} were to ever contain a space. > > There already are double quotes around this path in the init file. But the sed command itself would fail if %{python_sitelib} contained a space, unless you surround the regsub pattern with double-quotes. > > NOTES and Questions > > =================== > > * Why does the package contain a x509 certificate for 'webmaster@localhost'? > > > > 09:38:57 XulChris | dachary: reviewer wants to know: "Why does the package > contain a x509 certificate for 'webmaster@localhost'?" > 09:38:57 dachary | :-) > 09:39:12 dachary | for the SSL conx to the poker server > 09:39:46 XulChris | dachary: i dont know anything about x509 certificates, > but what if you dont have a webmaster user name or use "localhost"? > 09:40:12 dachary | it's a self signed certificate > 09:40:21 dachary | the email does not matter much > 09:40:33 XulChris | so its nothing i have to generate at build time then? > 09:40:41 dachary | it's a place holder that must be replaced if you're > serious about security > 09:40:47 dachary | no I suspected it was something like this. poker-server admins should be aware that using the default x509 cert provides no security at all, since everyone has access to the certificate's private key. Please document this in README.Fedora. Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.34-2.src.rpm %changelog * Wed Jan 24 2007 Christopher Stone <chris.stone> 1.0.34-2 - Write own status function using isrunning to poker-server/bot init - Fix some errors in init files - Change %%{poker_user} from games to poker - Add useradd call in %%pre for poker-server - Add note in poker-server README about x509 certificate - Add quotes around sed expression Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.34-3.src.rpm %changelog * Fri Jan 26 2007 Christopher Stone <chris.stone> 1.0.34-3 - Use %%{name} where poker-network is found in spec - Keep poker.server.xml 0600 and update Fedora.README accordingly - Remove poker-network-init selinux wrapper script - Create poker-server-selinux and poker-bot-selinux wrapper scripts - Create poker-server-selinux and poker-bot-selinux sub-packages - Add sed substitutions to selinux wrapper scripts - Modify init scripts to check for selinux wrapper script - Change "mkdir -p" instances to "install -d" Is it really worth having separate selinux subpackages for poker-server and poker-bot? What's the advantage of this approach rather than a combined package that handles both? The selinux stuff is in a state of flux right now as wart and I implement it. I added both a poker-network and poker-bot selinux subpackage for consistency. I planned to ask wart if this was necessary, but I have not had the chance to ask him yet. We've discussed this a bit on IRC, and I think I've found a reasonable solution. One selinux subpackage will be needed (poker-selinux), and it will contain only the selinux policy files, not the wrapper scripts. poker-selinux will not need 'Requires: poker-server'. Since the wrapper scripts are generic enough to be used when selinux is enabled or disabled, there doesn't need to be a conditional in the init script to call them if they are present. The wrapper scripts can safely move to the corresponding poker-bot and poker-server subpackages. poker-web requires the selinux policies in order to function, since it requires giving permission to httpd to connect to the pokerd_port_t ports. So poker-web will need "Requires: poker-selinux". If poker-web is installed with poker-server and/or poker-bot, this will enforce selinux protection on those two packages as well. The protection for poker-bot/poker-server can be disabled, however, by using 'setsebool pokerd_disable_trans on' without affecting the selinux rules needed for poker-web. But if poker-server/poker-bot are installed without poker-web, then the selinux protection is only available if the admin installs poker-selinux manually. I'm testing out these changes now and will attach updates for the spec file and init scripts when ready. Created attachment 146755 [details]
selinux file updates
The attached tarball contains the selinux policy files and the corresponding
changes to the init scripts and spec file.
The dependency of poker-web on poker-selinux is debatable. Many people, for reasons best known to themselves, run web servers with SELinux disabled or in permissive mode. For these people, it's not necessary to have poker-selinux in order for poker-web to work. So the alternatives are either: 1. Include the depenency (the status quo) and possibly pull in lots of additional packages (potentially the whole SELinux ecosystem on a system not currently using SELinux). 2. Omit the dependency and possibly confuse users that don't know about the -selinux subpackage. I know that this can happen despite the inclusion of a README.SELinux file in a main package that explains about installing the -selinux subpackage, even from experienced people that really should know better (I maintain the mod_fcgid package in Extras, which has a -selinux subpackage that is not a hard dependency). A decision for the maintainer I think; just be aware of the pros and cons each way. I think the best solution would be to move the selinux policy into the reference policy, and use a boolean to enable/disable the http-can-talk-to-pokerd bits. Until then, I guess the maintainer can choose to add the Requires or not. (In reply to comment #62) > I think the best solution would be to move the selinux policy into the reference > policy, and use a boolean to enable/disable the http-can-talk-to-pokerd bits. > Until then, I guess the maintainer can choose to add the Requires or not. Agree 100% Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.35-1.src.rpm %changelog * Tue Feb 13 2007 Christopher Stone <chris.stone> 1.0.35-1 - Upstream sync - Add selinux changes from wart - Remove patches applied upstream I have no idea what it means to "move the selinux policy into the reference policy, and use a boolean to enable/disable the http-can-talk-to-pokerd bits." However, I don't like the idea of requiring something that isn't technically necessary, so I left out the requires of the selinux package for poker-web. * Source still matches upstream * rpmlint warnings, all of which are safe to ignore: E: poker-server non-standard-uid /var/run/poker-network poker E: poker-server non-standard-uid /etc/poker-network/poker.server.xml poker E: poker-server non-standard-uid /var/log/poker-network poker - non-standard users are recommended for game servers. Safe to ignore. E: poker-server non-readable /etc/poker-network/poker.server.xml 0600 - Contains database password. Must be read-restricted. W: poker-server log-files-without-logrotate /var/log/poker-network - Application rotates its own log files All other MUSTFIX and SHOULD items fixed. I had to modify the selinux policy slightly to get it to work. Feel free to update the policy file before importing. APPROVED Created attachment 148298 [details]
updated policy file
Updated policy file to allow poker-bot to connect to the poker-web interface.
Imported and built on FC-5/6/7. Thanks to everyone who helped out in this review! |