If you’ve ever administered the enterprise collaboration software/wiki known as “Confluence” then you have most likely encountered it’s issues with having SELinux enabled on the same machine. Any documentation on the confluence website points to completely disabling SELinux when installing Confluence and offers no remedies otherwise.
Well for some of us, this just simply is not an option. After much debugging, log monitoring, tinkering, etc… last night I found the method to get SELinux to play nice with Confluence. So I thought I would share to steps for all those out there looking to do the same:
ASSUMPTIONS (This is based on the configuration I was working with, yours may differ):
If you’ve ever administered the enterprise collaboration software/wiki known as “Confluence” then you have most likely encountered it’s issues with having SELinux enabled on the same machine. Any documentation on the confluence website points to completely disabling SELinux when installing Confluence and offers no remedies otherwise.
Well for some of us, this just simply is not an option. After much debugging, log monitoring, tinkering, etc… last night I found the method to get SELinux to play nice with Confluence. So I thought I would share to steps for all those out there looking to do the same:
ASSUMPTIONS (This is based on the configuration I was working with, yours may differ):
- The auditd service is running to capture SELinux messages to audit.log
- SELinux is in “enforcing” mode and the filesystem is labeled properly.
- The default SELinux policy has been applied and no additional policies applied as of yet.
- Confluence is currently shut down.
STEPS:
1. Turn the following SELinux booleans to the “on” state using the setsebool 1 command:
- httpd_can_network_connect
- httpd_can_network_connect_db
- allow_execmem
- allow_execstack
- allow_java_execstack
- allow_unconfined_execmem_dyntrans
2. Create a custom SELinux module with the following code:
#=== BEGIN MODULE CONFIGURATION ===
module confluence 1.0 require {
type unconfined_t; type mysqld_t; type file_t; type httpd_t; type system_mail_t; type unlabeled_t; type procmail_t;
class process { execstack execmem };
class file { execute read getattr execute_no_trans ioctl append };
class association { recvfrom sendto };
class dir search; class lnk_file read;
}
allow httpd_t file_t:dir search;
allow httpd_t file_t:file { read getattr execute ioctl append };
allow httpd_t file_t:lnk_file read;
allow httpd_t unlabeled_t:association recvfrom;
allow mysqld_t unlabeled_t:association { recvfrom sendto };
allow procmail_t unlabeled_t:association sendto;
allow system_mail_t unlabeled_t:association sendto;
allow unconfined_t self:process execmem;
#=== END CONFIGURATION ===
3. Create the module and package it using the following commands (assumption: you stored the code above in a file named confluence.te):
checkmodule -M -m -o confluence.mod confluence.te
semodule_package -o confluence.pp confluence.mod
4. If no errors were reported above then install the module using the semodule command like so:
semodule -i confluence.pp
VIOLA! You should now be able to start up your Confluence instance without any issues.
If however you are still encountering errors then what I suggest is tailing log file ( /var/log/audit/audit.log ) and verifying where the denials are happening. You can also use the ‘audit2allow’ tool to automatically build a module for you to allow any denials that have occured since the last policy refresh.
Here are the steps to performing those actions:
1. First verify the actions you wish to allow (this command will display the allowances it will grant):
audit2allow -i /var/log/audit/audit.log -l
2. Automatically generate the module based on those rules shown in the previous step:
audit2allow -M mypolicies -i /var/log/audit/audit.log
3. Install the newly generated module:
semodule -i mypolicies.pp
Hope this helps everyone out there who was stuck like I once was!