In this article I’ll briefly explain my experience of how SELinux can affect Tomcat clustering. My setup is a single host with two Tomcat application servers with Liferay Enterprise 6.1.20 installed in a vertical cluster.
System Setup
OS: Centos 6.3
Webserver: Apache Http Server 2.2.15
Application Server: Tomcat 7.0.27
Application: Liferay Enterprise 6.1.20
Problem
I set up a Tomcat cluster with the mod_jk module, and my basic high availability failover testing failed. I reviewed the Tomcat, Liferay, and Apache HTTP logs and they didn’t indicate a root cause. I increased the logging levels to debug and this didn’t indicate the issue either. I reviewed the /var/log/audit.log file and found the cause of the issue. See the error below.
Error
type=AVC msg=audit(1348160914.109:130): avc: denied { name_connect } for pid=1892 comm=”httpd” dest=8209 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
Cause
SELinux is enabled by default on Centos. In this case it is denying the TCP connection to read/write files to the Tomcat application server. This was the cause of Tomcat not failing over.
Solution Summary
To solve the problem you need to change the default value from enforcing to disabled or permissive in the /etc/SELinux/config. See below for more detailed steps.
Disabling SELinux
Update the file: /etc/SELinux/config
Change the SELINUX=enforcing to SELINUX=permissive or disabled
After you save the file you will need to restart the server for this to take affect.
EXAMPLE
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=permissive # SELINUXTYPE= can take one of these two values: # targeted - Only targeted network daemons are protected. # strict - Full SELinux protection. SELINUXTYPE=targeted