On Mon, Oct 10, 2016 at 6:57 PM, Josh Berkus <josh@agliodbs.com> wrote:
On 10/10/2016 03:36 AM, Magnus Hagander wrote: > > > On Mon, Oct 10, 2016 at 2:26 AM, Josh Berkus <josh@agliodbs.com > <mailto:josh@agliodbs.com>> wrote: > > On 10/09/2016 04:36 PM, Josh Berkus wrote: > > I'll confirm here that the Web version doesn't work either from the > > Fedora packages. In the case of the web version, this appears to be > > because of confusion between Python2 and Python3 dependencies. > > Leaving out the SQLite bug (see other thread), here's the issues with > the Fedora24 packages: > > 1. if the user intends to use pgadmin4-web with httpd, then the user > needs to install httpd and python3-mod_wsgi packages (or mod_wsgi on > CentOS and RHEL). > > 2. the packages need to create the directory /usr/share/httpd/.pgadmin, > and add the SELinux label so that apache can write to it:
> chcon -R -t httpd_sys_rw_content_t /usr/share/httpd/.pgadmin > > The latter is going to be hard to do if you want the pgadmin4 app to > continue to be independant of httpd (for example, to allow install with > nginx). > > > Wouldn't it be better to make it put the files somewhere under > /var/lib/pgadmin? Seems like a more reasonable location for server-side > pgadmin. And upstream might want to make that "easily modifiable by > packagers" so it can be adapter to whatever distro it's being packaged > on? Surely it's wrong to store metadata file in /usr/share...
.pgadmin dir is getting written to $WEBHOME, which is why it's in /usr/share/httpd on Fedora. On debian it's presumably in /srv/www/.
Eh, that's definitely not the place on Debian :)
That said, it still seems like the wrong place to put the file. I realize why it ends up there. I'm saying it shouldn't be there.
/usr/ is supposed to be read-only.
And you'd need the SELinux perms even if it was in /var/lib/, because of the nologin status of the Apache user.
Yes, but /var/lib is supposed to be for persistant data modified by programs. That's a reasonable location for it, and thus it's reasonable to unlock it with selinux policy.