ORDS fails to deploy when SELinux is enabled

[fuzziebrain]

When SELInux is enabled, ORDS will not deploy correctly. Tomcat will need access to two directories and their contents: /etc/ords and /ords/apex_images. If SELinux is enforcing, then the following commands should be executed after Tomcat is installed, but before the apps are deployed:

$ semanage fcontext -a -t tomcat_var_run_t '/etc/ords(/.*)?'
$ restorecon -R -v /etc/ords
$ semanage fcontext -a -t tomcat_var_run_t '/var/lib/tomcat/webapps(/.*)?'
$ restorecon -R -v /var/lib/tomcat/webapps

DigitalOcean users who are deploying to a Centos 7.4 droplet may experience this issue. If you prefer not to re-run the build when a fix is available, then run the above commands as root, redeploy the ords.war file and then restart Tomcat.

Thanks to @Fr4ncis for reporting this issue.

[Update] 2018-02-02 Corrected the path that needs to be relabelled for webapps to deploy successfully on Tomcat.

[hairpin666]

Hi Fuzziebrain,

Could you please advise how I can simply redeploy the ords.war and restart the tomcat after I ran the scripts on a centos linux?

Thanks

[fuzziebrain]

@hairpin666 Please try the following and let me know how it goes:

1. Check the directory /ords/apex_images. If there are no files, copy them from the APEX installer files. There should be an images sub-directory that should be recursively copied to /ords/apex_images. Use the cp (copy) option -r.
2. For CentOS, the typical directory that Tomcat stores web application files are in /usr/share/tomcat/webapps. Check to see if the `ords/ sub-directory exists. If so, delete it and then restart Tomcat.

[hairpin666]

Hi, I checked the folder /ords/apex_images the files were there after installation, i ran $ semanage fcontext -a -t tomcat_var_run_t '/etc/ords(/.)?' $ restorecon -R -v /etc/ords $ semanage fcontext -a -t tomcat_var_run_t '/ords/apex_images(/.)?' $ restorecon -R -v /ords/apex_images

After that the folder couldn't be found anymore, at least I got the Apex Screen telling me that the image directory is not configured correct.

What am I doing wrong ? :)

[fuzziebrain]

The label for /ords/apex_images might be incorrect and I will need to investigate. PM2 doesn't run as tomcat user and probably that's why it isn't working. Does it work when you disable selinux?

[GasparYYC]

I have just tried to build OXAR on Digital Ocean CentOS 7.4 and I can confirm that even after trying the semanage and restorecon command did not work...

What worked for me is to completely disable SELinux completely prior to installing OXAR using:

sed -i.backup  's/SELINUX=enforcing/SELINUX=disabled/' /etc/sysconfig/selinux
sed -i.backup  's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
reboot

Once that was disabled, OXAR installation went smooth...

[fuzziebrain]

@GasparYYC Thanks for the update and advise. While it's probably more straightforward to disable SELinux, I still think that the best option is to adapt OXAR for use and deployment with SELinux enabled.

@hairpin666 I have updated the two directories that need to be relabelled. Besides /etc/ords, the other path should correctly be /var/lib/tomcat/webapps. We now also have a fix for this issue (see branch fuzziebrain/selinux. I'm still waiting for more confirmation that the issue would be fully resolved, before pushing the changes to the master branch.

[fuzziebrain]

Should be resolved for new deployments.