anyone running Jira DC on RHEL with SELinux enforcing?

Posted by The404Engineer@reddit | linuxadmin | View on Reddit | 9 comments

every guide i find just says setenforce 0 and move on. atlassian themselves say "disable it or figure it out" which is not helpful

has anyone actually gotten jira DC to work properly with SELinux in enforcing mode on RHEL 8 or 9? like a proper policy module not just chcon hacks

wondering if its even worth trying or if everyone just runs permissive in prod

[-]

BombTheDodongos@reddit

audit2allow is your friend in these situations

[-]

The_Real_Grand_Nagus@reddit

every guide i find just says setenforce 0 and move on

Yep it's the "just chmod 777" of our day.

[-]

PudgyPatch@reddit

The official secret/not secret Atlassian answer is “pwese use cloud Jira, it’s really good and has no pwobwems honest injun”

[-]

Yes. Run in permissive mode, use audit2allow, craft a policy (one to rule them all or a bunch to do various things), repeat until you're happy. Go back to enforcing. Monitor for a bit to check nothings been missed off, keep an eye out when doing updates in future.

[-]

1esproc@reddit

Yes

[-]

EndpointWrangler@reddit

It's possible but painful, you'll need to audit2allow to generate a custom policy module from the AVC denials after a test run, and Jira's file access patterns are messy enough that you'll end up with a fairly broad policy anyway, which is why most people quietly run permissive in prod and just make sure compensating controls are solid elsewhere.

[-]

orev@reddit

SELinux should always be on. It shouldn't affect any software that isn't installed from official repos.

That said, if you're doing something like using the official httpd as a reverse proxy, then you probably need to change some selinux booleans to allow apache to make reverse proxy connections. It shouldn't be that difficult and typically shouldn't involve making custom selinux modules.

You may need to be aware of labels that are inherited from the parent folder when you untar the files, but you can set them to unconfined if you need to.

IMO, any "guide" that tells you to disable selinux should immediately be ignored. SELinux has been a reality for over 20 years. If people can accept systemd, then selinux shouldn't be an issue either.

[-]

The404Engineer@reddit (OP)

yeah exactly I wasnt gonna take that advice lol appreciate it. jira is a critical service so the idea of disabling selinux on it was never really on the table your comment did boost my confidence a bit tho 🫠 will do the labels

[-]

ftf327@reddit

Have you tried audit2allow? It is a great tool to narrow down the problem and sometimes it gives the right solution lol