Bug 219972 (poker-network)

Summary: Review Request: poker-network - A poker server, client and abstract user interface library
Product: [Fedora] Fedora Reporter: Christopher Stone <chris.stone>
Component: Package ReviewAssignee: Wart <wart>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Package Reviews List <fedora-package-review>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jspaleta, paul
Target Milestone: ---Flags: wtogami: fedora‑cvs+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-19 22:06:03 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 171543, 208169, 216105    
Bug Blocks: 163779, 222612    
Attachments:
Description Flags
service startup failure log
none
updated init file
none
error log from poker-bot
none
selinux file updates
none
updated policy file none

Description Christopher Stone 2006-12-17 18:53:24 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-1.src.rpm

Description:
Base package for poker client and server.

There are still some issues which I have noted in the spec file.  Putting package up for review comments in the meantime.
Comment 1 Christopher Stone 2006-12-18 12:55:17 EST
I read http://fedoraproject.org/wiki/PackagingDrafts/SELinux and the problem is
that I do not run selinux myself, so I do not know what (if anything) is
required to run this with selinux.

Should I remove the selinux stuff from the init script?
Comment 2 Wart 2006-12-18 13:08:40 EST
Yes, just turn it off for now until the selinux bits are ready, otherwise the
semange bits in the init script will generate an error.
Comment 3 Paul Howarth 2006-12-18 13:15:03 EST
(In reply to comment #1)
> I read http://fedoraproject.org/wiki/PackagingDrafts/SELinux and the problem is
> that I do not run selinux myself, so I do not know what (if anything) is
> required to run this with selinux.
> 
> Should I remove the selinux stuff from the init script?

IMHO yes. In the absence of an SELinux policy for the server, it will run
"unconfined" by SELinux, and there will be no definition of the type
pokerserver_port_t, so the semanage call to assign that type to a specific port
number won't work. Someone would have to write a policy for the server to make
any of that worthwhile.

Which is pretty much what Wart said, only he said it quicker than me :-)
Comment 4 Christopher Stone 2006-12-18 13:30:39 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-1.src.rpm

%changelog
* Mon Dec 18 2006 Christopher Stone <chris.stone@gmail.com> 1.0.32-2
- Remove semanage call in init file until an selinux policy is written
- Add comment to %%check section indicating that it is not functional
- Update TODO comments
Comment 5 Christopher Stone 2006-12-18 13:31:45 EST
oops, SRPM URL for comment #4 should be:
SRPM: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-2.src.rpm
Comment 6 Christopher Stone 2006-12-29 20:20:26 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-3.src.rpm

%changelog
* Fri Dec 29 2006 Christopher Stone <chris.stone@gmail.com> 1.0.32-3
- Update BR/R to new python-twisted stack
Comment 7 Jef Spaleta 2006-12-31 01:08:00 EST
builds in mock in fc6 and devel on x86.
I'm going through this now, doing a detailed review.

PROBLEM #1:
poker2d desktopfile has the EXEC in the wrong location.
should be EXEC=%{_exec_prefix}/games/poker2d
because %{_exec_prefix}/games/poker2d

because /usr/games is not in the standard executable path.

PROBLEM #2:
On my fc-6 system gnome seems to be unable to recognize that poker2D.xpm is
there. Even if I create a custom panel launcher and attemnpt to select the
poker2D.xpm from the pixmap directory in the icon chooser interface, it throws
an icon 'poker@D' not found error dialog. Do we have to do somethng silly and
convert this to png?   

-jef
Comment 8 Jef Spaleta 2006-12-31 01:09:00 EST
opps the error reads poker2d, the @ was a typo on my part
Comment 9 Jef Spaleta 2006-12-31 01:32:34 EST
Clarifiation:

Are we running counter to the python module naming scheme in the naming guidance?

Shouldnt it be python-poker-network and python-poker-client-lib because these
are primarily python modules which can be used to develop multiple applications?

poker-bot  poker-server  poker-web and poker2d look fine to me as names because
they are the application level items which sit on top of pokernetwork or
poker-client-lib.   

Did this naming issue come up with poker-engine?  I'm not convinced this is
enough to block on, especially now that poker-engine is already in the tree.

-jef

Comment 10 Jef Spaleta 2006-12-31 02:09:59 EST
PROBLEM #3: poker-network-devel needs to require pkgconfig

MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for
directory ownership and usability).


Clarification:
is %{_libdir}/%{name}/poker-interface a shared library? I don't think it is but
I just want to be sure.

Comment 11 Jef Spaleta 2006-12-31 02:27:03 EST
poker2d appears to work.  I haven't had a chance to test the server related
subpackages. 

I'm not a kde user, so forgive me if I sound ignorant, but the payload for
poker2d-kde looks very thin to me.  Is the payload really only suppose to be:
/usr/share/apps/khotkeys/poker2d.khotkeys
/usr/share/doc/poker2d-kde-1.0.32
/usr/share/doc/poker2d-kde-1.0.32/COPYING


-jef
Comment 12 Christopher Stone 2006-12-31 13:42:47 EST
(In reply to comment #7)
> builds in mock in fc6 and devel on x86.
> I'm going through this now, doing a detailed review.
> 
> PROBLEM #1:
> poker2d desktopfile has the EXEC in the wrong location.
> should be EXEC=%{_exec_prefix}/games/poker2d
> because %{_exec_prefix}/games/poker2d

Fixed this.

> 
> because /usr/games is not in the standard executable path.
> 
> PROBLEM #2:
> On my fc-6 system gnome seems to be unable to recognize that poker2D.xpm is
> there. Even if I create a custom panel launcher and attemnpt to select the
> poker2D.xpm from the pixmap directory in the icon chooser interface, it throws
> an icon 'poker@D' not found error dialog. Do we have to do somethng silly and
> convert this to png?   

I asked in #fedora-packaging about icons placed in pixmap directory, and this is
the reply:

15:27:20       XulChris | if upstream installs in icon in %{_datadir}/pixmaps/
should it be moved to %{_datadir}/icons/ instead and run gtk-update-icon-cache?
           15:28:02       XulChris | or should it just be left in pixmaps/ w/o
running gtk-update-icon-cache?                                                 
                      17:49:19             ---| User: *** rdieter_away is now
known as rdieter1
18:05:45       rdieter1 |  XulChris: imo, move it, yadda, and ping upstream to
do the same.

So perhaps moving the icon to the icons/ directory will fix it in GNOME? Not
sure since I run KDE, I will try moving the icons in the spec let me know if it
fixes it in GNOME.

Comment 13 Christopher Stone 2006-12-31 13:45:37 EST
(In reply to comment #9)
> Clarifiation:
> 
> Are we running counter to the python module naming scheme in the naming guidance?
> 
> Shouldnt it be python-poker-network and python-poker-client-lib because these
> are primarily python modules which can be used to develop multiple applications?

Let me get clarification on upstream with this.  I think debian has the same
policy, and upstream packages for debian so let me see what they say.  I'll get
back to you on this.
Comment 14 Christopher Stone 2006-12-31 13:47:17 EST
(In reply to comment #10)
> PROBLEM #3: poker-network-devel needs to require pkgconfig
> 
> MUST: Packages containing pkgconfig(.pc) files must 'Requires: pkgconfig' (for
> directory ownership and usability).

Fixed.

> 
> 
> Clarification:
> is %{_libdir}/%{name}/poker-interface a shared library? I don't think it is but
> I just want to be sure.
> 
> 

I will ask upstream to make sure. Will get back to you on this item as well.
Comment 15 Christopher Stone 2006-12-31 13:50:34 EST
(In reply to comment #11)
> poker2d appears to work.  I haven't had a chance to test the server related
> subpackages. 
> 
> I'm not a kde user, so forgive me if I sound ignorant, but the payload for
> poker2d-kde looks very thin to me.  Is the payload really only suppose to be:
> /usr/share/apps/khotkeys/poker2d.khotkeys
> /usr/share/doc/poker2d-kde-1.0.32
> /usr/share/doc/poker2d-kde-1.0.32/COPYING

This is done on purpose.  Otherwise a user would have to install kdebase to pick
up the /usr/share/apps/khotkeys/ directory when they install poker2d which is
probably not what people want to do if they do not have KDE installed.  Having a
package with a single file in it I deemed a better alternative than requiring
kdebase just to install poker2d, and poker2d does not need kdebase to run.

So basically its just a directory ownership issue.
Comment 16 Christopher Stone 2006-12-31 18:35:56 EST
(In reply to comment #14)
> (In reply to comment #10)
> > Clarification:
> > is %{_libdir}/%{name}/poker-interface a shared library? I don't think it is but
> > I just want to be sure.
> > 
> > 
> 
> I will ask upstream to make sure. Will get back to you on this item as well.

dachary |  poker-interface is a shared library (really a python module but a
shared library)
Comment 17 Jef Spaleta 2006-12-31 19:32:24 EST
(In reply to comment #16)
> 
> dachary |  poker-interface is a shared library (really a python module but a
> shared library)

Considering where it is placed on disk.. doesn't this mean you need to run
ldconfig in the postinstall scriptlet?


What is confusing is why its placed in /usr/lib/poker-network/poker-interface
instead of under /usr/lib/python2.4/site-packages/pokerclient2d ?

I don't think its really meant to be in the general ldconfig path. If its meant
as a library to be used from python bindings only, its best to place it into the
python module tree of interest. There are several examples of this sort of .so
inclusion in the python module directory already in Fedora space, python-numeric
being one specific case.

And shouldn't the filename end with the .so extention for clarity?


-jef
Comment 18 Christopher Stone 2007-01-01 23:28:07 EST
pec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-3.src.rpm

%changelog
* Sun Dec 31 2006 Christopher Stone <chris.stone@gmail.com> 1.0.32-4
- Add full path to exec in desktop file
- Add pkgconfig to devel subpackage
- Convert icons to png format and store in icons directory
- Update TODO

Jef: Can you test the icons out on this release? Thx
Comment 19 Christopher Stone 2007-01-01 23:49:23 EST
(In reply to comment #18)
> pec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
> SRPM URL:
http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-3.src.rpm

Ack, this is supposed to be:
http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-4.src.rpm

I apologize, I am notoriously bad for copy&pasting without updating.
Comment 20 Jef Spaleta 2007-01-02 01:13:40 EST
Menu entry and menu icons appear to be working in this release.

I think the only important thing left is the issue of whether
/usr/lib/poker-network/poker-interface  should be moved to
/usr/lib/python2.4/site-packages/pokerclient2d and if it should be renamed to
poker-interface.so for clarity.

the python add-on package naming issue is less clear since there are already
poker-whatever packages in the tree which you'd have to also rename to meet the
python-whatever guidance. I'm not going to block on that since these poker-*
packages make a consistent naming group.  If someone else has a problem with it,
you'll have to go into the tree later and rename and do some virtual providing.

-jef
Comment 21 Christopher Stone 2007-01-02 17:53:44 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-5.src.rpm

%changelog
* Tue Jan 02 2007 Christopher Stone <chris.stone@gmail.com> 1.0.32-5
- Move poker-interface to %%{python_sitearch}/pokerclient2d
- Remove TODO comments
Comment 22 Christopher Stone 2007-01-03 12:45:13 EST
Reblocking bug #171543 even though twisted-core and web are in FC6, it was
agreed that we wait until all python-twisted packages are in FC6 before
branching to provide the smothest upgrade path possible.
Comment 23 Christopher Stone 2007-01-05 15:22:08 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-6.src.rpm

%changelog
* Fri Jan 05 2007 Christopher Stone <chris.stone@gmail.com> 1.0.32-6
- Replace pkgconfig with poker-eval-devel
Comment 24 Christopher Stone 2007-01-10 16:12:17 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-7.src.rpm

%changelog
* Wed Jan 10 2007 Christohper Stone <chris.stone@gmail.com> 1.0.32-7
- Keep permssions 600 for poker.server.xml file
Comment 25 Christopher Stone 2007-01-10 18:33:46 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.32-8.src.rpm

%changelog
* Wed Jan 10 2007 Christopher Stone <chris.stone@gmail.com> 1.0.32-8
- Move poker-interface to %%{_libexecdir}
- Package poker-interface with poker-client-lib
- Remove no longer needed shared lib patch
Comment 26 Christopher Stone 2007-01-11 12:58:57 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-1.src.rpm

%changelog
* Thu Jan 11 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-1
- Upstream sync
- Add %%find_lang for new locales
Comment 27 Christopher Stone 2007-01-15 02:45:57 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-2.src.rpm

%changelog
* Sun Jan 14 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-2
- Split out poker-client-lib/poker2d files into another spec file
- Add Requires apg and poker-web to poker-bot
- No longer remove symlinks for constants.php and htaccess
- Create a README.Fedora for poker-web package
- Reduce initial number of bots to four due to a bug

rpmlint errors:
E: poker-network no-binary
E: poker-network-debuginfo empty-debuginfo-package

These are because poker2d is packaged with this upstream.  This will be fixed
when poker2d is out of alpha mode.

E: poker-server non-readable /etc/poker-network/poker.server.xml 0600

This is because the mysql root password is in this file.

E: poker-web htaccess-file /usr/share/poker-web/.htaccess

I don't understand this error.
Comment 28 Paul Howarth 2007-01-15 03:36:01 EST
(In reply to comment #27)
> E: poker-web htaccess-file /usr/share/poker-web/.htaccess
> 
> I don't understand this error.

.htaccess files are frowned upon because the same effect can usually be achieved
by adding an appropriate <Directory> clause in a .conf file dropped into
/etc/httpd/conf.d. This then allows the use of "AllowOverride None" for that
directory, meaning that httpd doesn't need to check for .htaccess files for
every access, and is hence a performance benefit.
Comment 29 Jef Spaleta 2007-01-16 05:11:09 EST
http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-2.src.rpm

this did not rebuild cleanly in mock either against fc6 nor development.

snippet of build.log from fc6 build attempt:

RPM build errors:
    File not found: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/usr/lib/p
ython2.4/site-packages/pokernetwork
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u
sr/lib/python2.4/site-packages/pokernetwork/__init__*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u
sr/lib/python2.4/site-packages/pokernetwork/dispatch*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u
sr/lib/python2.4/site-packages/pokernetwork/packets*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc6-root-mockbuild/u
sr/lib/python2.4/site-packages/pokernetwork/pokernetworkconfig*

snippet of build.log from development build:
RPM build errors:
    File not found: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/usr/lib/p
ython2.5/site-packages/pokernetwork
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u
sr/lib/python2.5/site-packages/pokernetwork/__init__*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u
sr/lib/python2.5/site-packages/pokernetwork/dispatch*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u
sr/lib/python2.5/site-packages/pokernetwork/packets*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u
sr/lib/python2.5/site-packages/pokernetwork/pokernetworkconfig*
    File not found by glob: /var/tmp/poker-network-1.0.33-2.fc7-root-mockbuild/u
sr/lib/python2.5/site-packages/pokernetwork/pokerpackets*
Comment 30 Christopher Stone 2007-01-16 12:40:47 EST
Ah, this is because your %{python_sitearch} is the same as your
%{python_sitelib}.  This should be fixed now.

Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-3.src.rpm

%changelog
* Tue Jan 16 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-3
- Do not glob removal of files under %%{python_sitearch}
- Change Requires from php to php-bcmath for poker-web
Comment 31 Christopher Stone 2007-01-16 14:31:10 EST
Got some more clarification on requirements for poker-web package from upstream:

Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-4.src.rpm

%changelog
* Tue Jan 16 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-4
- Add php-mysql and php-gd to Requires for poker-web
Comment 32 Wart 2007-01-18 23:16:53 EST
poker-bot has 'Requires: poker-client-lib %{version}-%{release}'. 
poker-client-lib is provided by the poker2d package.  This means that you will
have to make sure to update both poker-network and poker2d and keep the release
numbers consistent.  It might be better to drop the %{release} from the
Requires, if that's permissible.

I also get a 404 error when I try to access the poker-web web interface.  This
was after moving the apache.conf from poker-web into the conf.d directory of
apache and restarting apache.

"The requested URL /cgi-bin/php/poker-web/index.php was not found on this server."
Comment 33 Christopher Stone 2007-01-19 13:05:30 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-5.src.rpm

%changelog
* Fri Jan 19 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-5
- Remove webclient from poker-web Requires
- Remove %%{release} from poker-client-lib Requires for poker-bot
- Fix init scripts to work for different python releases
- Remove redundant python-twisted-core from BuildRequires

The poker-web interface should be accessable at: http://localhost/poker-web/
Comment 34 Christopher Stone 2007-01-19 18:40:12 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-6.src.rpm

%changelog
* Fri Jan 19 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-6
- Add php to poker-web Requires (php-mysql does not pull it in)
- Add patch to fix --disable-poker2d config option
- Use --disable-poker2d option to reduce manually removing some files
Comment 35 Christopher Stone 2007-01-19 18:44:45 EST
Ooops and one last minute reupload fix:
- Remove no longer needed BuildRequires for poker2d package
Comment 36 Christopher Stone 2007-01-19 20:39:28 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-7.src.rpm

%changelog
* Sat Jan 20 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-7
- Create a httpd poker-web.conf file from the .htaccess file
- Remove existing htaccess and apache.conf files
- Add new apache conf to %%files in poker-web
- Make symlink to constants.php relative
Comment 37 Christopher Stone 2007-01-20 15:52:44 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-8.src.rpm

%changelog
* Sat Jan 20 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-8
- Readd poker-client-lib package to this spec file
- Readd %%{release} to packages that require poker-client-lib
- Remove manual removal of files since they are all in poker-client-lib
- Update comments on rpmlint errors
Comment 38 Christopher Stone 2007-01-20 18:25:04 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-9.src.rpm

%changelog
* Sat Jan 20 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-9
- Fix init scripts, PYTHON_SITELIB substituion macro got lost
- Re-word poker-web README.Fedora file reflecting new changes
Comment 39 Wart 2007-01-20 21:19:36 EST
I'm having trouble running the poker-server due to a bad mysql password.  Here's
what I've done:

 1. On a fresh box, install Rawhide with the latest updates
 2. Install mysql-server, as well as the poker-server dependencies
 3. Leave the settings in /etc/poker-network/poker.server.xml as the defaults
 3. 'service mysqld start'
 5. 'service poker-server start'
 6. Look in /var/log/poker-server.log

Expected results:

Some sort of 'poker server started' success message

Observed results:

The attached stack trace

I tried using a shorter pokernetwork password in the mysql server, as well as an
empty password, but I get the same results.  I've also tried connecting to the
mysql server as the pokernetwork user, using the password in poker.server.xml,
but that fails as well.
Comment 40 Wart 2007-01-20 21:20:34 EST
Created attachment 146068 [details]
service startup failure log
Comment 41 Wart 2007-01-20 23:54:15 EST
Created attachment 146073 [details]
updated init file

New init file that properly detects if poker-server is already running based on
the pid in the pidfile.
Comment 42 Wart 2007-01-21 01:24:18 EST
Two other issues that I've discovered while trying to run the server:

- Attempting to create a new user account through the poker-web interface fails.
 The web interface returns a cryptic string "type = 121, code = 1, message =",
and attempts to log in using the new account fail.

- If selinux is enabled, then the web interface can't communicate with the
poker-server backend.  From the avc denial message, this appears to be because
the web interface wants to establish a TCP connection to the poker server (port
19382), which is disallowed by the standard httpd policy.

Jan 20 22:20:52 localhost kernel: audit(1169360452.415:4): avc:  denied  {
name_connect } for  pid=2460 comm="httpd" dest=19382
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0
tclass=tcp_socket
Comment 43 Christopher Stone 2007-01-21 09:17:22 EST
(In reply to comment #39)
> I'm having trouble running the poker-server due to a bad mysql password.  Here's
> what I've done:
> 
>  1. On a fresh box, install Rawhide with the latest updates
>  2. Install mysql-server, as well as the poker-server dependencies
>  3. Leave the settings in /etc/poker-network/poker.server.xml as the defaults
>  3. 'service mysqld start'
>  5. 'service poker-server start'
>  6. Look in /var/log/poker-server.log
> 
> Expected results:
> 
> Some sort of 'poker server started' success message
> 
> Observed results:
> 
> The attached stack trace
> 
> I tried using a shorter pokernetwork password in the mysql server, as well as an
> empty password, but I get the same results.  I've also tried connecting to the
> mysql server as the pokernetwork user, using the password in poker.server.xml,
> but that fails as well.

Okay, after some digging the in mysql manual I found this:
If you cannot figure out why you get Access denied, remove from the user  table
all entries that have Host values containing wildcards (entries that contain ‘%’
or ‘_’). A very common error is to insert a new entry with Host='%' and
User='some_user', thinking that this allows you to specify localhost to connect
from the same machine. The reason that this does not work is that the default
privileges include an entry with Host='localhost' and User=''. Because that
entry has a Host value 'localhost' that is more specific than '%', it is used in
preference to the new entry when connecting from localhost! The correct
procedure is to insert a second entry with Host='localhost' and
User='some_user', or to delete the entry with Host='localhost' and User=''.
After deleting the entry, remember to issue a FLUSH PRIVILEGES statement to
reload the grant tables.

So to fix this you have drop all anonymous users in the user table.  I will talk
to upstream about this and see what they suggest.  Might be best to change the
user creation code to use a Host of 'localhost' instead of '%'.
Comment 44 Christopher Stone 2007-01-21 10:05:10 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.33-10.src.rpm

%changelog
* Sun Jan 21 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-10
- Add better pid file checking in init scripts
- Add FLUSH PRIVILEDGES to poker-web README.Fedora
- Add another CREATE USER statement to README.Fedora for localhost
- Add patch to properly create users in pokerdatabase.py


@wart: This version has a patch to create two user entries, one with a Host of
'%' and a second with a host of 'localhost'.  This should fix the localhost
issues, please test.  I've also updated the init scripts with your attached patch.

Comment 45 Christopher Stone 2007-01-21 10:11:27 EST
(In reply to comment #42)
> Two other issues that I've discovered while trying to run the server:
> 
> - Attempting to create a new user account through the poker-web interface fails.
>  The web interface returns a cryptic string "type = 121, code = 1, message =",
> and attempts to log in using the new account fail.

I cannot reproduce this error here.  Can you try again with the new -10 release
package? And with selinux disabled?  I'll show it to upstream and see if they
have any ideas.


> 
> - If selinux is enabled, then the web interface can't communicate with the
> poker-server backend.  From the avc denial message, this appears to be because
> the web interface wants to establish a TCP connection to the poker server (port
> 19382), which is disallowed by the standard httpd policy.
> 
> Jan 20 22:20:52 localhost kernel: audit(1169360452.415:4): avc:  denied  {
> name_connect } for  pid=2460 comm="httpd" dest=19382
> scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0
> tclass=tcp_socket
> 

From the poker-server README.Fedora file:

poker-server uses the following IP ports:
19380 default
19381 is for SSL
19382 is for XMLRPC
18383 is for XMLRPC over SSL

So, do we need to add selinux policy rules for these ports?  In my initial
release I had something in the init scripts which I copied from one of your
packages, but it was insufficient because you need to make a policy file too
which I do not know how to do.  Should I try to contact so selinux guys to try
and fix this for me?
Comment 46 Wart 2007-01-21 14:28:45 EST
Created attachment 146095 [details]
error log from poker-bot

/var/log/poker-bot.log containing error messages after starting poker-bot.
Comment 47 Wart 2007-01-21 14:31:14 EST
(In reply to comment #45)
> (In reply to comment #42)
> > Two other issues that I've discovered while trying to run the server:
> > 
> > - Attempting to create a new user account through the poker-web interface fails.
> >  The web interface returns a cryptic string "type = 121, code = 1, message =",
> > and attempts to log in using the new account fail.
> 
> I cannot reproduce this error here.  Can you try again with the new -10 release
> package? And with selinux disabled?  I'll show it to upstream and see if they
> have any ideas.

Problem found:  There is a minimum limit of 5 characters for usernames.  This
error should be reported more clearly in the web interface.

> > - If selinux is enabled, then the web interface can't communicate with the
> > poker-server backend.  From the avc denial message, this appears to be because
> > the web interface wants to establish a TCP connection to the poker server (port
> > 19382), which is disallowed by the standard httpd policy.
> > 
> > Jan 20 22:20:52 localhost kernel: audit(1169360452.415:4): avc:  denied  {
> > name_connect } for  pid=2460 comm="httpd" dest=19382
> > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0
> > tclass=tcp_socket
> > 
> 
> From the poker-server README.Fedora file:
> 
> poker-server uses the following IP ports:
> 19380 default
> 19381 is for SSL
> 19382 is for XMLRPC
> 18383 is for XMLRPC over SSL
> 
> So, do we need to add selinux policy rules for these ports?  In my initial
> release I had something in the init scripts which I copied from one of your
> packages, but it was insufficient because you need to make a policy file too
> which I do not know how to do.  Should I try to contact so selinux guys to try
> and fix this for me?

I've passed this along to the fedora-selinux-list to ask for suggestions.
Comment 48 Wart 2007-01-21 21:35:38 EST
GOOD
====
* rpmlint output:
E: poker-network no-binary
  - poker-network is a library used by poker-server and others.  The
    lack of a binary is not an error.
E: poker-server non-readable /etc/poker-network/poker.server.xml 0600
  - This file contains passwords for the server.  It must have these
    permissions.
E: poker-network-debuginfo empty-debuginfo-package
  - This should go away once the package becomes noarch (see MUSTFIX)

* Source matches upstream
  18538c17d8ab9796bd6cda846076a398c5f152a0  poker-network-1.0.33.tar.gz
* package and spec file named appropriately
* GPL license ok, license file included
* spec file legible and in Am. English
* Compiles and builds on FC6-i386, FC6-x86_64, FC7-i386, FC7-x86_64.
  Fails to build on FC-5 due to missing python-twisted-web
* BR: look sane
* File contents look ok
* No locales (removed during install)
* No static or shared libs
* Not relocatable
* Directory ownership ok
* Duplicate license file in %files lists for subpackages, but I don't consider
  this a problem. 
* No need for -doc subpackage
* %doc doesn't appear to be needed at runtime.
* No .desktop file needed
* Packages run on FC7-i386 (other platforms/arch not tested)

MUSTFIX
=======
* Upstream bug #1454 that will allow this to be a noarch package.
* Create a 'poker' user for running the server for better security
* /usr/share/doc/poker-network-1.0.33/NIHPHOBIA is cute, but not really
  necessary, is it?
* Don't use %{version} in the patch filenames.  The version in a patch
  filename is supposed to reflect the package version when the patch
  was first introduced, not the current package version.

SHOULD
======
* Add selinux policies to poker-server for better security
* Patch tests/Makefile.in and configure in poker-network-1.0.33-config.patch
  so that you don't have to call 'autoreconf' during %build.  Hopefully
  upstream will adopt this patch in a new release so that it becomes a
  moot point.
* Use %{_initrddir} instead of %{_sysconfdir}/init.d
* Use double quotes around the sed regsub pattern to avoid potential
  problems if %{python_sitelib} were to ever contain a space.

NOTES and Questions
===================
* poker-network and poker2d (BZ #222612) use the same upstream source
  tarball, but different spec files.  My understanding is that this is
  so that poker-network can be marked as 'noarch', while poker2d will contain
  arch-specific bits.  As far as I am aware, there are no problems
  using the same source file for two different spec files, aside from
  duplication in the resulting srpm.
* Why does the package contain a x509 certificate for 'webmaster@localhost'?
Comment 49 Wart 2007-01-21 21:41:23 EST
One more SHOULD item:
* Document the dependency of the currency type on the server url in
  poker.bot.xml.  This seems to be a common source of confusion.
Comment 50 Wart 2007-01-23 23:12:41 EST
I finally got selinux policies building in Rawhide again, and started looking at
a policy for poker-server.  In the init script, you invoke the service by
invoking python with the script as an argument.  In order to make selinux work
with this, you should include a small wrapper script that does the same thing,
and invoke this wrapper script from the init script.  Something like:

$ cat /usr/bin/poker-server
#!/bin/sh

/usr/bin/python /usr/bin/twistd --python
/usr/lib/python2.5/site-packages/pokernetwork/pokerserver.py ${0+$@}

And then in the init script, invoke the script as:

/usr/bin/poker-server \
        --pidfile=${pidfile} \
        --logfile=${logfile} --quiet ${opt_args} \
        --reactor=${reactor}

This will allow the wrapper script to be labelled as pokerd_exec_t, whereas in
the current setup, python itself must be labelled as pokerd_exec_t in order to
execute in the proper domain.
Comment 51 Christopher Stone 2007-01-24 17:09:33 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.34-1.src.rpm

%changelog
* Wed Jan 24 2007 Christopher Stone <chris.stone@gmail.com> 1.0.34-1
- Upstream sync
- Add a wrapper script for init files to help SElinux
- invoke wrapper script using daemon --user=POKER_USER
- add sed command to fill in POKER_USER in init files
- remove old config patch which is fixed in this release
- add new config patch to configure as noarch package
- comment out make check in spec
- Remove adduser call in %%pre and use userid of games instead

* Mon Jan 22 2007 Christopher Stone <chris.stone@gmail.com> 1.0.33-11
- Remove poker-server and poker-web Requires from poker-bot
- Remove NIHPHOBIA from %%doc
- Remove %%{version} from patch names
- Replace %%{_sysconfdir}/init.d with %%{_initrddir}
- Document relation between currency and URL in poker-web/README.Fedora
- Add a poker-bot/README.Fedora file for explaining cash-in URLs
- Change permissions on poker.server.xml to readable
- Add permission changing to instructions in poker-server/README.Fedora
- Add creation of %%{poker_user} user id to run poker-server
- Create a directory for poker-server log files
- Add poker-server run and log directories to poker-server %%files
- Change ownership of poker-server run/log directories to %%{poker_user}
Comment 52 Christopher Stone 2007-01-24 17:16:07 EST
NOTE: service poker-server status does not work.  No matter what I try.  I think
we have to write our own status function for this, what do you think?
Comment 53 Christopher Stone 2007-01-24 17:21:57 EST
> MUSTFIX
> =======
> * Upstream bug #1454 that will allow this to be a noarch package.

Should be fixed.

> * Create a 'poker' user for running the server for better security

I used user "games" instead.

> * /usr/share/doc/poker-network-1.0.33/NIHPHOBIA is cute, but not really
>   necessary, is it?

Removed.

> * Don't use %{version} in the patch filenames.  The version in a patch
>   filename is supposed to reflect the package version when the patch
>   was first introduced, not the current package version.

Fixed.

> 
> SHOULD
> ======
> * Add selinux policies to poker-server for better security

Need help from you on this.

> * Patch tests/Makefile.in and configure in poker-network-1.0.33-config.patch
>   so that you don't have to call 'autoreconf' during %build.  Hopefully
>   upstream will adopt this patch in a new release so that it becomes a
>   moot point.

They will, not sure it's worth the effort since the patch will be in the next
release.

> * Use %{_initrddir} instead of %{_sysconfdir}/init.d

Done.

> * Use double quotes around the sed regsub pattern to avoid potential
>   problems if %{python_sitelib} were to ever contain a space.

There already are double quotes around this path in the init file.

> 
> NOTES and Questions
> ===================
> * poker-network and poker2d (BZ #222612) use the same upstream source
>   tarball, but different spec files.  My understanding is that this is
>   so that poker-network can be marked as 'noarch', while poker2d will contain
>   arch-specific bits.  As far as I am aware, there are no problems
>   using the same source file for two different spec files, aside from
>   duplication in the resulting srpm.

No, the packages are seperated because they need to use different %configure
options.  The fact that it allows us to make one package noarch is a beneficial
side-effect.

> * Why does the package contain a x509 certificate for 'webmaster@localhost'?
> 

09:38:57       XulChris | dachary: reviewer wants to know: "Why does the package
contain a x509 certificate for 'webmaster@localhost'?"
09:38:57        dachary |  :-)
09:39:12        dachary |  for the SSL conx to the poker server
09:39:46       XulChris | dachary: i dont know anything about x509 certificates,
but what if you dont have a webmaster user name or use "localhost"?
09:40:12        dachary |  it's a self signed certificate
09:40:21        dachary |  the email does not matter much
09:40:33       XulChris | so its nothing i have to generate at build time then?
09:40:41        dachary |  it's a place holder that must be replaced if you're
serious about security
09:40:47        dachary |  no
Comment 54 Wart 2007-01-24 18:29:20 EST
(In reply to comment #53)
> > MUSTFIX
> > * Create a 'poker' user for running the server for better security
> 
> I used user "games" instead.

Better to use a custom user account and not the overloaded 'games' account. 
This helps prevent a security breach from one game using the 'games' account
from compromising other games using the 'games' account.  This will require
using 'useradd' in the %pre scriptlet.

> > * Add selinux policies to poker-server for better security
> 
> Need help from you on this.

I'm working on it...

> > * Use double quotes around the sed regsub pattern to avoid potential
> >   problems if %{python_sitelib} were to ever contain a space.
> 
> There already are double quotes around this path in the init file.

But the sed command itself would fail if %{python_sitelib} contained a space,
unless you surround the regsub pattern with double-quotes.

> > NOTES and Questions
> > ===================
> > * Why does the package contain a x509 certificate for 'webmaster@localhost'?
> > 
> 
> 09:38:57       XulChris | dachary: reviewer wants to know: "Why does the package
> contain a x509 certificate for 'webmaster@localhost'?"
> 09:38:57        dachary |  :-)
> 09:39:12        dachary |  for the SSL conx to the poker server
> 09:39:46       XulChris | dachary: i dont know anything about x509 certificates,
> but what if you dont have a webmaster user name or use "localhost"?
> 09:40:12        dachary |  it's a self signed certificate
> 09:40:21        dachary |  the email does not matter much
> 09:40:33       XulChris | so its nothing i have to generate at build time then?
> 09:40:41        dachary |  it's a place holder that must be replaced if you're
> serious about security
> 09:40:47        dachary |  no

I suspected it was something like this.  poker-server admins should be aware
that using the default x509 cert provides no security at all, since everyone has
access to the certificate's private key.  Please document this in README.Fedora.
Comment 55 Christopher Stone 2007-01-24 19:11:41 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.34-2.src.rpm

%changelog
* Wed Jan 24 2007 Christopher Stone <chris.stone@gmail.com> 1.0.34-2
- Write own status function using isrunning to poker-server/bot init
- Fix some errors in init files
- Change %%{poker_user} from games to poker
- Add useradd call in %%pre for poker-server
- Add note in poker-server README about x509 certificate
- Add quotes around sed expression
Comment 56 Christopher Stone 2007-01-26 22:26:24 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.34-3.src.rpm

%changelog
* Fri Jan 26 2007 Christopher Stone <chris.stone@gmail.com> 1.0.34-3
- Use %%{name} where poker-network is found in spec
- Keep poker.server.xml 0600 and update Fedora.README accordingly
- Remove poker-network-init selinux wrapper script
- Create poker-server-selinux and poker-bot-selinux wrapper scripts
- Create poker-server-selinux and poker-bot-selinux sub-packages
- Add sed substitutions to selinux wrapper scripts
- Modify init scripts to check for selinux wrapper script
- Change "mkdir -p" instances to "install -d"
Comment 57 Paul Howarth 2007-01-27 04:09:05 EST
Is it really worth having separate selinux subpackages for poker-server and
poker-bot? What's the advantage of this approach rather than a combined package
that handles both?
Comment 58 Christopher Stone 2007-01-27 11:43:07 EST
The selinux stuff is in a state of flux right now as wart and I implement it.  I
added both a poker-network and poker-bot selinux subpackage for consistency.  I
planned to ask wart if this was necessary, but I have not had the chance to ask
him yet.
Comment 59 Wart 2007-01-27 13:22:23 EST
We've discussed this a bit on IRC, and I think I've found a reasonable solution.
 One selinux subpackage will be needed (poker-selinux), and it will contain only
the selinux policy files, not the wrapper scripts.  poker-selinux will not need
'Requires: poker-server'.

Since the wrapper scripts are generic enough to be used when selinux is enabled
or disabled, there doesn't need to be a conditional in the init script to call
them if they are present.  The wrapper scripts can safely move to the
corresponding poker-bot and poker-server subpackages.

poker-web requires the selinux policies in order to function, since it requires
giving permission to httpd to connect to the pokerd_port_t ports.  So poker-web
will need "Requires: poker-selinux".  If poker-web is installed with
poker-server and/or poker-bot, this will enforce selinux protection on those two
packages as well.  The protection for poker-bot/poker-server can be disabled,
however, by using 'setsebool pokerd_disable_trans on' without affecting the
selinux rules needed for poker-web.  But if poker-server/poker-bot are installed
without poker-web, then the selinux protection is only available if the admin
installs poker-selinux manually.

I'm testing out these changes now and will attach updates for the spec file and
init scripts when ready.
Comment 60 Wart 2007-01-27 18:45:50 EST
Created attachment 146755 [details]
selinux file updates

The attached tarball contains the selinux policy files and the corresponding
changes to the init scripts and spec file.
Comment 61 Paul Howarth 2007-01-29 06:52:09 EST
The dependency of poker-web on poker-selinux is debatable. Many people, for
reasons best known to themselves, run web servers with SELinux disabled or in
permissive mode. For these people, it's not necessary to have poker-selinux in
order for poker-web to work.

So the alternatives are either:
1. Include the depenency (the status quo) and possibly pull in lots of
additional packages (potentially the whole SELinux ecosystem on a system not
currently using SELinux).
2. Omit the dependency and possibly confuse users that don't know about the
-selinux subpackage. I know that this can happen despite the inclusion of a
README.SELinux file in a main package that explains about installing the
-selinux subpackage, even from experienced people that really should know better
(I maintain the mod_fcgid package in Extras, which has a -selinux subpackage
that is not a hard dependency).

A decision for the maintainer I think; just be aware of the pros and cons each way.
Comment 62 Wart 2007-01-30 23:32:06 EST
I think the best solution would be to move the selinux policy into the reference
policy, and use a boolean to enable/disable the http-can-talk-to-pokerd bits. 
Until then, I guess the maintainer can choose to add the Requires or not.
Comment 63 Paul Howarth 2007-01-31 03:14:48 EST
(In reply to comment #62)
> I think the best solution would be to move the selinux policy into the reference
> policy, and use a boolean to enable/disable the http-can-talk-to-pokerd bits. 
> Until then, I guess the maintainer can choose to add the Requires or not.

Agree 100%
Comment 64 Christopher Stone 2007-02-14 01:59:20 EST
Spec URL: http://tkmame.retrogames.com/fedora-extras/poker-network.spec
SRPM URL: http://tkmame.retrogames.com/fedora-extras/poker-network-1.0.35-1.src.rpm

%changelog
* Tue Feb 13 2007 Christopher Stone <chris.stone@gmail.com> 1.0.35-1
- Upstream sync
- Add selinux changes from wart
- Remove patches applied upstream

I have no idea what it means to "move the selinux policy into the reference
policy, and use a boolean to enable/disable the http-can-talk-to-pokerd bits." 
However, I don't like the idea of requiring something that isn't technically
necessary, so I left out the requires of the selinux package for poker-web.
Comment 65 Wart 2007-02-18 12:56:29 EST
* Source still matches upstream
* rpmlint warnings, all of which are safe to ignore:
E: poker-server non-standard-uid /var/run/poker-network poker
E: poker-server non-standard-uid /etc/poker-network/poker.server.xml poker
E: poker-server non-standard-uid /var/log/poker-network poker
   - non-standard users are recommended for game servers.  Safe to ignore.
E: poker-server non-readable /etc/poker-network/poker.server.xml 0600
   - Contains database password.  Must be read-restricted.
W: poker-server log-files-without-logrotate /var/log/poker-network
   - Application rotates its own log files

All other MUSTFIX and SHOULD items fixed.

I had to modify the selinux policy slightly to get it to work.  Feel free to
update the policy file before importing.

APPROVED
Comment 66 Wart 2007-02-18 12:57:41 EST
Created attachment 148298 [details]
updated policy file

Updated policy file to allow poker-bot to connect to the poker-web interface.
Comment 67 Christopher Stone 2007-02-19 22:06:03 EST
Imported and built on FC-5/6/7.  Thanks to everyone who helped out in this review!