If SELinux is active on the server that runs your TeamForge site, configure it to allow the services that TeamForge requires.
In case of same hardware upgrade using RHEL/CentOS, it is recommended to upgrade the OS to RHEL/CentOS 7.5 or later versions.

Log on as root or use a root shell while setting up SELinux.

TeamForge SELinux Policies

TeamForge implements SELinux policies for most of its services such as JBoss, Apache, ETL, Tomcat and so on. However, you can use these instructions to revert these policies (not recommended) if required.

Here’s a list of SELinux modules that are implemented (use the semodule -l|grep tf_ command to see the list of TeamForge SELinux modules):

  • tf_apache
  • tf_branding
  • tf_cvs
  • tf_daemon-base
  • tf_etl
  • tf_integration-base
  • tf_jboss
  • tf_phoenix
  • tf_postgresql
  • tf_runtime-base
  • tf_subversion
  • tf_tomcat

While you can revert these policies, you can contact CollabNet Support to get help in fixing the issue with TeamForge SELinux policies.

  • To Revert the TeamForge SELinux Policies: 
    /opt/collabnet/teamforge/runtime/scripts/fix_data_selinux_permissions.sh
  • If JBoss is using agents such as takipi, run the following command to apply selinux context for the takipi agent: 
    semanage fcontext --add -t tf_jboss_rw_t '/opt/takipi(/.*)?'
restorecon -R /opt/takipi

Do This If SELinux Is disabled

Verify SELinux mode using getenforce command. Do this if you have SELinux running in disabled mode.

  1. Stop TeamForge.

    • If you are upgarding from TeamForge 16.7 or earlier releases: 
      /etc/init.d/collabnet stop
    • If you are upgrading from TeamForge 16.10, 17.1, or 17.4 releases: 
      /opt/collabnet/teamforge/bin/teamforge stop
    • If you are upgrading from TeamForge 17.8 or later releases: 
      teamforge stop
  2. Edit the file /etc/sysconfig/selinux and set SELINUX=enforcing.
  3. Turn off TeamForge startup on boot. 
    chkconfig collabnet off
  4. Reboot the server and verify if SELInux is set to enforcing mode. 
    getenforce
  5. Turn on TeamForge startup on boot. 
    chkconfig collabnet on
  6. Apply TeamForge SELinux policies. 
    teamforge apply-selinux
  7. Provision services. 
    teamforge provision

Do This If SELinux Is permissive

Verify SELinux mode using getenforce command. Do this if you have SELinux running in permissive mode.

  1. Set SELinux to run in enforcing mode again. 
    setenforce 1
  2. Restart TeamForge. 
    teamforge restart

[]:

Tags for this page: installation upgrade selinux security