SELinux Blocking ip from read/open on

05-21-2019 09:12 AM
Occasional Contributor

I'm running ArcGIS Server 10.7 on RHEL Server 7.6

Whenever I start ArcGIS Server with the systemd unit included in the install, copied from arcgis/server/framework/etc/scripts/ to /etc/systemd/system/arcgisserver.service, it gives SELinux alerts blocking read/open on and

When I start ArcGIS Server by directly calling, There are no alerts.

I have attempted to install local policy allowing access using audit2allow via this guide:

and also in the RHEL SELinux Troubleshooter instructions:

# ausearch -c 'ip' --raw | audit2allow -M my-ip

# semodule -i my-ip.

I've also tried adjusting the file's context with:

# semanage fcontext -a -t default_t

# restorecon -v

How can I start ArcGIS Server through systemd without the SELinux permission errors?

0 Kudos
2 Replies
Esri Regular Contributor

Hi there,

I assume you want SELinux to remain enabled and probably don't want it in permissive mode. If so, then I think the other other option would be to make an exception for the process by flagging it with the unconfined option. I'm not 100% positive on what the proper place to configure that would be. Possibly you would just throw this line into the systemd service itself:

0 Kudos
Occasional Contributor

Thanks, Earl.

I tried adding that line to my unit file in various places but none have yet solved the problem.

Adding it in the [Unit] or [Install] Section, the service can start successfully, but SELinux still alerts about

Adding it to the [Service] Section, starting the service fails with SELinux denying transition on the script.

Is there a specific order the lines in my unit file have to be arranged?

Here are the current contents of the file:

sudo cat /etc/systemd/system/arcgisserver.service :

# ------------------------------------------------------------------
# ArcGIS Server systemd unit file
# ------------------------------------------------------------------
# Configure ArcGIS Server to be started at boot on Linux distributions
# adopting systemd init system (For example RHEL 7.x and SuSE12) by
# following these instructions:
# 1.) Switch to the root user.
# 2.) Copy this file to /etc/systemd/system
# 3.) Enable the service to start at boot:
# # systemctl enable arcgisserver.service
# 4.) Verify systemd service is setup correctly:
# # systemctl stop arcgisserver.service
# # systemctl start arcgisserver.service
# # systemctl status arcgisserver.service
# 5.) Reboot the system and verify that Server restarts properly.
# ------------------------------------------------------------------

Description=ArcGIS Server Service



# The minimum number of processes need to be set to 25059 or higher. Enable
# and raise this limit if it is a heavily used system. Use ulimit -Su -Hu to
# check current values.
# LimitNPROC=25059
# LimitNOFILE=65535

# To prevent any one service from spawning too many threads and consuming all
# server resources, systemd v228 and beyond included in SLES12 SP2 and higher
# set the maximum number of threads to be created at 512. Users on SLES12 may
# need to enable and raise this limit if it is a heavily used system. Use
# "systemctl show --property DefaultTasksMax" to check the current value. To
# find the version of systemd, use "systemctl --version".
# TasksMax=512



Thanks again for your help.


This is the output of ls -Z for the two files throwing the error:

-rwx------. igsgis data unconfined_u:object_r:unlabeled_t:s0

-rwx------. igsgis data unconfined_u:object_r:unlabeled_t:s0

(As mentioned earlier, I've tried switching context type to default as well, I've also tried switching user from unconfined to system)

The SELinux Alerts are:

SELinux is preventing /usr/sbin/ip from open access on the file /diskarray/arcgis/server/framework/runtime/jre/lib/

SELinux is preventing /usr/sbin/ip from getattr access on the file /diskarray/arcgis/server/framework/runtime/jre/lib/

0 Kudos