Allowing stuff on SELinux (NewRelic example | For CentOS/RHEL 5/6/7)

Ah… selinux, always getting in the way of things…

SELinux doesn’t necessarily have all the proper rules, so often you’d need to adjust it yourself. This is a tutorial of how to do that with NewRelic as an example (which I just had problem with after updating…). You can replace “newrelic” and “newrelic-daemon” to your needs.

All of this is in root.

  1. Get policycoreutils. This is the only installation you’ll need.
    For CentOS / RHEL 5:

    yum -y install policycoreutils

    For version 6 and 7:

    yum -y install policycoreutils-python
  2. Set selinux to permissive for a moment:
    setenforce 0
  3. Restart the service that’s getting blocked, so that it will work properly, for example:
    service httpd restart (systemctl for 7)
  4. Then we can use audit2allow to create a set of rules that it requires. SELinux creates a log of stuff that were blocked in audit.log, we’ll look in that log to see what was blocked and then allow it.
    grep newrelic /var/log/audit/audit.log | audit2allow -m newrelic-daemon > newrelic-daemon.te
  5. The above will create a newrelic-daemon.te file for you to review. Check that it’s what you want. The -m option creates an output file. Next, we’re going to use -M option to create a module package that can be loaded.
  6. grep newrelic /var/log/audit/audit.log | audit2allow -M newrelic-daemon
  7. It probably told you just now what to do next. Do it:
    semodule -i newrelic-daemon.pp

    That will load the new profile to selinux.

  8. Re-enable selinux:
    setenforce 1
  9. Re-start the service:
    service httpd restart (systemctl for 7)
  10. You should check that everything is still working. And if it is, great! All done.

You can also save the .te file for later. You can do that by calling:

make -f /usr/share/selinux/strict/include/Makefile newrelic-daemon.pp
semodule -i newrelic-daemon.pp

Leave a Reply