Set up SELinux

If SELinux is active on the server that runs your TeamForge site, configure it to allow the services that TeamForge requires.

In case of same hardware upgrade using RHEL/CentOS, it is recommended to upgrade the OS to RHEL/CentOS 7.3 or later versions.
Attention: Installing or upgrading TeamForge needs root privileges. You must log on as root or use a root shell to install or upgrade TeamForge.
  1. Verify SELinux mode using "getenforce" command. Do this if you have SELinux running in "disabled" mode:
    1. Stop TeamForge.
      Note: Stop TeamForge on all the servers in a distributed setup.
      • teamforge stop
    2. Edit the file /etc/sysconfig/selinux and set SELINUX=enforcing.
    3. Turn off TeamForge startup on boot.
      • chkconfig collabnet off
    4. Reboot the server and verify if SELInux is set to "enforcing" mode.
      • getenforce
    5. Run the grep command to get the value of rb_dir and rb_data_dir.
      • grep rb_dir /etc/reviewboard.properties
      • grep rb_data_dir /etc/reviewboard.properties
    6. Run the following commands if Review Board is integrated with TeamForge.
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_data_dir>(/.*)?"
      • restorecon -R -v <rb_data_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_dir>(/.*)?"
      • restorecon -R -v <rb_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "/opt/collabnet/teamforge/var/home/apache(/.*)?"
      • restorecon -R -v /opt/collabnet/teamforge/var/home/apache
    7. Before deploying services, remove pdk-root and pdk-sf-admin directories.
      • rm -rf /tmp/pdk-root
      • rm -rf /tmp/pdk-sf-admin
    8. Turn on TeamForge startup on boot.
      • chkconfig collabnet on
    9. Run the following command to switch SELinux to 'permissive' mode.
      • setenforce 0
    10. Provision services.
      • teamforge provision
      Note:

      TeamForge 17.4 (and later) installer expects the system locale to be LANG=en_US.UTF-8. TeamForge "provision" command fails otherwise.

    11. Start TeamForge.
      • teamforge start
    12. Run the following command to switch SELinux to 'enforcing' mode.
      • setenforce 1
  2. Verify SELinux mode using "getenforce" command. Do this if you have SELinux running in "permissive" mode:
    1. Set SELinux to run in "enforcing" mode again.
      • setenforce 1
    2. Run the grep command to get the value of httpd_user and httpd_group.
      • grep rb_dir /etc/reviewboard.properties
      • grep rb_data_dir /etc/reviewboard.properties
    3. Run the following commands if Review Board is integrated with TeamForge.
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_data_dir>(/.*)?"
      • restorecon -R -v <rb_data_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_dir>(/.*)?"
      • restorecon -R -v <rb_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "/opt/collabnet/teamforge/var/home/apache(/.*)?"
      • restorecon -R -v /opt/collabnet/teamforge/var/home/apache
    4. Restart TeamForge.
      • teamforge restart
Parent topic: Protect your CollabNet TeamForge site
Related concepts
TeamForge SELinux policies