If you are like me, you hate setting up a dispatcher (and revel in the benefits of having someone else do that). One of the common problems I see is SELinux stopping the dispatcher from doing dispatcher things.
I’m going to share two easy fixes I’ve found for the two most common ways SELinux becomes an obstruction.
First, let’s let Apache connect to the AEM instance(s):
# From https://forums.adobe.com/thread/1032754 # allow httpd to connect to network resources # Needs to be run as root or add sudo before setsebool httpd_can_network_connect 1 # OR setsebool httpd_can_network_connect true # just one or the other is needed
Next, we need to let the dispatcher write files to its own directories:
# Adapted from https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/ # To manage SELinux, contains semanage yum install -y policycoreutils-python # for troubleshooting (optional) yum install -y setroubleshooting # Set SE linux polcy for author/publish caches semanage fcontext -a -t httpd_cache_t "/path/to/docroot(/.*)?" restorecon -Rv /path/to/docroot
It also turns out that Adobe put some similar steps in the official dispatcher documentation. Not all of the steps are needed on all Linux systems, though. For example, my dispatcher on Centos 7 didn’t require me to change the SELinux context of the dispatcher module (though I did put it into the /etc/httpd/modules directory, so it inherits from the folder policy).
I opted to use
httpd_cache_t instead of Adobe’s recommended
httpd_sys_content_t, since it is technically a cache and not just normal content. The choice is yours on what you use to make your dispatcher functional with SELinux.
Happy managing your dispatchers!