Troubleshoot Docker Components Setup (Changing SELinux Modes)

Use the procedure explained in this article for specific cases when you troubleshoot the Aternity Docker Components Server setup failure. Sometimes, the enforcing mode of SELinux (Security-Enhanced Linux) might cause the setup to fail. In this case, change the SELinux mode to permissive. Make sure it is allowed by your organization security policy.

SELinux can be either in the enabled or disabled state. When enabled, SELinux can run in one of the following modes:
  • Enforcing: SELinux policy is enforced. SELinux denies access based on SELinux policy rules.
  • Permissive: SELinux policy is not enforced. SELinux does not deny access, but creates the log file for actions that would have been denied if running in enforcing mode.

    So, by setting the SELinux mode to permissive and checking the log file, you can see what Aternity actions have been denied. Then, update your SELinux policy to allow these actions and change it back to the enforcing mode.

Use getenforce to view the current SELinux mode. Use setenforce to toggle between enforcing and permissive modes. Changes made with this command apply until the reboot. To change to permissive mode temporarily, run the setenforce 0 command.

Procedure

  1. Step 1 Login to Linux host as root.
  2. Step 2 To permanently change SELinux mode to permissive, do the following:
    1. a Open and edit the /etc/selinux/config file.
    2. b Change the SELINUX=[mode] to permissive.
    3. c Save changes and exit.
    4. d Reboot the server.
    (Optional) To change to permissive mode temporarily, run the setenforce 0 command. Use getenforce to view the current SELinux mode.
  3. Step 3 Run the setup of Aternity Docker Components Server.
  4. Step 4 Run Aternity for a day or two to collect logs.
  5. Step 5 Contact Customer Services to review the actions that would have been denied if running in enforcing mode.
  6. Step 6 Update SELinux policy, if your organizational security policy allows it.
  7. Step 7 To change SELinux back to enforcing mode, edit /etc/selinux/config again and change the SELINUX=[mode] to enforcing, or run the setenforce 1 command.
    Use getenforce to view the current SELinux mode.