How to use NewRelic with SELinux

NewRelic doesn’t seem to work with SELinux out of the box and it appears it’s out of the scope of NR’s support. So, here’s how to run NR while having SELinux protection.

First, we’re going to create the rule file:

# mkdir ~/newrelic
# cd ~/newrelic
# nano newrelic.te

The contents of the file should be:
It’s a bit more than what it needs if you use only certain features of newrelic, but this seems to get all, if not most of them.

module newrelic 1.0;

require {
	type httpd_t;
	type tmp_t;
	type initrc_var_run_t;
	type initrc_tmp_t;
	type initrc_t;
	class sock_file write;
	class unix_stream_socket connectto;
	class file { read write open };

#============= httpd_t ==============
allow httpd_t initrc_t:unix_stream_socket connectto;
allow httpd_t initrc_tmp_t:file open;
allow httpd_t initrc_var_run_t:file { read write };
allow httpd_t tmp_t:sock_file write;

Then we’re going to add this to SELinux

# checkmodule -M -m -o newrelic.mod newrelic.te
# semodule_package -m newrelic.mod -o newrelic.pp
# sudo semodule -i newrelic.pp

That’s it!

Leave a Reply