SELinux Configuration for AEM Dispatcher | Perficient Digital

SELinux Configuration for AEM Dispatcher

If you are like me, you hate setting up a dispatcher (and revel in the benefits of having someone else do that). One of the common problems I see is SELinux stopping the dispatcher from doing dispatcher things.

I’m going to share two easy fixes I’ve found for the two most common ways SELinux becomes an obstruction.

First, let’s let Apache connect to the AEM instance(s):

# From https://forums.adobe.com/thread/1032754
# allow httpd to connect to network resources
# Needs to be run as root or add sudo before
setsebool httpd_can_network_connect 1
# OR
setsebool httpd_can_network_connect true
# just one or the other is needed

Next, we need to let the dispatcher write files to its own directories:

# Adapted from https://www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/
# To manage SELinux, contains semanage
yum install -y policycoreutils-python

# for troubleshooting (optional)
yum install -y setroubleshooting

# Set SE linux polcy for author/publish caches
semanage fcontext -a -t httpd_cache_t "/path/to/docroot(/.*)?"
restorecon -Rv /path/to/docroot

It also turns out that Adobe put some similar steps in the official dispatcher documentation. Not all of the steps are needed on all Linux systems, though. For example, my dispatcher on Centos 7 didn’t require me to change the SELinux context of the dispatcher module (though I did put it into the /etc/httpd/modules directory, so it inherits from the folder policy).

I opted to use httpd_cache_t¬†instead of Adobe’s recommended httpd_sys_content_t, since it is technically a cache and not just normal content. The choice is yours on what you use to make your dispatcher functional with SELinux.

Happy managing your dispatchers!

Leave a Reply