Set up SELinux

If SELinux is active on the server that runs your TeamForge site, configure it to allow the services that TeamForge requires.

Pre-requisites to set up the SELinux environment:
Attention: Installing or upgrading TeamForge needs root privileges. You must log on as root or use a root shell to install or upgrade TeamForge.
  1. Verify SELinux mode using "getenforce" command. Do this if you have SELinux running in "disabled" mode:
    1. Stop TeamForge.
      Note: Stop TeamForge on all the servers in a distributed setup.
      • /opt/collabnet/teamforge/bin/teamforge stop
    2. Edit the file /etc/sysconfig/selinux and set SELINUX=enforcing.
    3. Turn off TeamForge startup on boot.
      • chkconfig collabnet off
    4. Reboot the server and verify if SELInux is set to "enforcing" mode.
      • getenforce
    5. Run the grep command to get the value of rb_dir and rb_data_dir.
      • grep rb_dir /etc/reviewboard.properties
      • grep rb_data_dir /etc/reviewboard.properties
    6. Run the following commands if Review Board is integrated with TeamForge.
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_data_dir>(/.*)?"
      • restorecon -R -v <rb_data_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_dir>(/.*)?"
      • restorecon -R -v <rb_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "/opt/collabnet/teamforge/var/home/apache(/.*)?"
      • restorecon -R -v /opt/collabnet/teamforge/var/home/apache
    7. Before deploying services, remove pdk-root and pdk-sf-admin directories.
      • rm -rf /tmp/pdk-root
      • rm -rf /tmp/pdk-sf-admin
    8. Turn on TeamForge startup on boot.
      • chkconfig collabnet on
    9. Run the following command to switch SELinux to 'permissive' mode.
      • setenforce 0
    10. Deploy services.
      • /opt/collabnet/teamforge/bin/teamforge provision

      The "provision" command prompts for response before it bootstraps or migrates data during TeamForge installation and upgrade respectively. Enter "Yes" or "No" to proceed. For more information, see The teamforge script.

    11. Start TeamForge.
      • /opt/collabnet/teamforge/bin/teamforge start
    12. Run the TeamForge post installation script.
      • /opt/collabnet/teamforge/runtime/scripts/post-install.py
    13. Run the following command to switch SELinux to 'enforcing' mode.
      • setenforce 1
    14. Fix the SELinux data permissions.
      • cd /opt/collabnet/teamforge/runtime/scripts/
      • ./fix_data_selinux_permissions.sh
      Note: If your data directory is on a NetApp volume, you may observe some warning messages which can be ignored safely.
  2. Verify SELinux mode using "getenforce" command. Do this if you have SELinux running in "permissive" mode:
    1. Set SELinux to run in "enforcing" mode again.
      • setenforce 1
    2. Run the grep command to get the value of httpd_user and httpd_group.
      • grep rb_dir /etc/reviewboard.properties
      • grep rb_data_dir /etc/reviewboard.properties
    3. Run the following commands if Review Board is integrated with TeamForge.
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_data_dir>(/.*)?"
      • restorecon -R -v <rb_data_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "<rb_dir>(/.*)?"
      • restorecon -R -v <rb_dir>
      • semanage fcontext -a -t httpd_sys_rw_content_t "/opt/collabnet/teamforge/var/home/apache(/.*)?"
      • restorecon -R -v /opt/collabnet/teamforge/var/home/apache
    4. Restart TeamForge.
      • /opt/collabnet/teamforge/bin/teamforge restart
    5. Fix the SELinux data permissions if and only if your site has been upgraded to TeamForge 17.1. Skip this step otherwise for fresh installation of TeamForge 17.1.
      • cd /opt/collabnet/teamforge/runtime/scripts/
      • ./fix_data_selinux_permissions.sh