How-to install openfire under SELinux

I have written a how-to for those of you that are trying to install openfire under SELinux, the how-to can be found at:

Sorry everyone, but the above link is no longer available, as soon as I get the server up and running again, I’ll have that page up again.

Asking honestly here…

Is such a guide needed? I’ve installed the last three versions of Openfire on CentOS 5.x and I’ve had no problems.

Perhaps a guide to setting up firewalls?

Did you have SELinux enabled? I generally disable it but at some point I might want to enable it and learn how to properly do things under it. I honestly don’t know if Openfire has problems with SELinux but I imagine if a guide was written, it was for a reason.

usalabs, is there a reason why you want to host your guide there? You can create a document here for the guide.

Yup I have it enabled in enforcing mode and everything is happy.

SE linux isn’t that scary now in CentOS 5+, there are a lot of helper tools that come with it now to let you know when SeLinux has blocked something and how to fix it. setroubleshootd is a great thing to have running at all times. If you didn’t install it as part of your Os install, you should for sure install it and have it running.

If the context is wrong on a file, most times restorecon filename will fix it

I don’t know where on here, that a downloadable document can be hosted, that’s why I used my own server.

But to answer a previous question, yes, I even tried SELinux in permissive mode using:-

  1. setenforce 0

but using that only creates warnings, and appends them to the system messages, which by using:-

  1. audit2allow -d

displays the denied messages as allowed, so that they can be copied and pasted into the custom policy.

The important thing to remember is that, SELinux has no policies for user ‘daemon’, and this user is not created when installing openfire, which means, when openfire is installed with SELinux in enforcing or permissive mode, openfire will look for the user ‘daemon’ to run the application, but because the user doesn’t exist, openfire will allways ask to enter a security context, if yes, then you’ll be asked for the type and role, but if no, then openfire will generate an error, and stop.

To run under SELinux, there’s a few files to modify, and because ‘sudo’ always has root to allow access to 'ALL", then one would have to change the ‘openfire’ file located at '/etc/init.d/ and add ‘sudo’ to before the ‘su’ command on line:

su -s /bin/sh -c “nohup $OPENFIRE_RUN_CMD > $OPENFIRE_LOGDIR/nohup.out 2>&1 &” $OPENFIRE_USER

So that the line would read:-

sudo su -s /bin/sh -c “nohup $OPENFIRE_RUN_CMD > $OPENFIRE_LOGDIR/nohup.out 2>&1 &” $OPENFIRE_USER

Then the file ‘openfire’ located at ‘/etc/sysconfig’ edited and the # removed from the line:


Then replace ‘daemon’ with ‘root’, so that the line would read:-


Once the 2 files have been edited, then the policy lines have to be inserted into the custom policy, but, not all SELinux policy creation is the same, I can only show how to get SELinux to display the lines needed to insert/add to the custom policy.

First, all the below commands are done in root access.

  1. setenforce 0

  2. dmesg -c && clear

  3. /etc/init.d/openfire

  4. audit2allow -d

  5. setenforce 1

If there are any lines withe ‘init_rc’, they can not be added to the custom policy, but the rest can.

The compilation of the custom policies, I’m leaving up to the individual (a good knowledge of SELinux policies is required for the distro that’s being compiled).