{"id":226,"date":"2015-05-01T05:04:09","date_gmt":"2015-05-01T09:04:09","guid":{"rendered":"https:\/\/www.grumpyland.com\/blog\/?p=226"},"modified":"2015-05-01T05:04:58","modified_gmt":"2015-05-01T09:04:58","slug":"allowing-stuff-on-selinux-newrelic-example-for-centosrhel-567","status":"publish","type":"post","link":"https:\/\/www.grumpyland.com\/blog\/226\/allowing-stuff-on-selinux-newrelic-example-for-centosrhel-567\/","title":{"rendered":"Allowing stuff on SELinux (NewRelic example | For CentOS\/RHEL 5\/6\/7)"},"content":{"rendered":"

Ah… selinux, always getting in the way of things…<\/p>\n

SELinux doesn’t necessarily have all the proper rules, so often you’d need to adjust it yourself. This is a tutorial of how to do that with NewRelic as an example (which I just had problem with after updating…). You can replace “newrelic” and “newrelic-daemon” to your needs.<\/p>\n

All of this is in root.<\/p>\n

    \n
  1. Get policycoreutils. This is the only installation you’ll need.
    \nFor CentOS \/ RHEL 5:<\/p>\n
    yum -y install policycoreutils<\/pre>\n
    For version 6 and 7:<\/p>\n
    yum -y install policycoreutils-python<\/pre>\n<\/li>\n
  2. Set selinux to permissive\u00a0for a moment:\n
    setenforce 0<\/pre>\n<\/li>\n
  3. Restart the service that’s getting blocked, so that it will work properly, for example:\n
    service httpd restart (systemctl for 7)<\/pre>\n<\/li>\n
  4. Then we can use audit2allow to create a set of rules that it requires. SELinux creates a log of stuff that were blocked in audit.log, we’ll look in that log to see what was blocked and then allow it.\n
    grep newrelic \/var\/log\/audit\/audit.log | audit2allow -m newrelic-daemon > newrelic-daemon.te<\/pre>\n<\/li>\n
  5. The above will create a newrelic-daemon.te file for you to review. Check that it’s what you want. The -m option creates an output file. Next, we’re going to use -M option to create a module package that can be loaded.<\/li>\n
  6. \n
    grep newrelic \/var\/log\/audit\/audit.log | audit2allow -M newrelic-daemon<\/pre>\n<\/li>\n
  7. It probably told you just now what to do next. Do it:\n
    semodule -i newrelic-daemon.pp<\/pre>\n
    That will load the new profile to selinux.<\/li>\n
  8. Re-enable selinux:\n
    setenforce 1<\/pre>\n<\/li>\n
  9. Re-start the service:\n
    service httpd restart (systemctl for 7)<\/pre>\n<\/li>\n
  10. You should check that everything is still working. And if it is, great! All done.<\/li>\n<\/ol>\n
    You can also save the .te file for later. You can do that by calling:<\/p>\n
    make -f \/usr\/share\/selinux\/strict\/include\/Makefile newrelic-daemon.pp\r\nsemodule -i newrelic-daemon.pp<\/pre>\n","protected":false},"excerpt":{"rendered":"
    Ah… selinux, always getting in the way of things… SELinux doesn’t necessarily have all the proper rules, so often you’d need to adjust it yourself. This is a tutorial of how to do that with NewRelic as an example (which I just had problem with after updating…). You can replace “newrelic” and “newrelic-daemon” to your […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_vp_format_video_url":"","_vp_image_focal_point":[],"footnotes":""},"categories":[15],"tags":[],"class_list":["post-226","post","type-post","status-publish","format-standard","hentry","category-tutorial"],"_links":{"self":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts\/226","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/comments?post=226"}],"version-history":[{"count":3,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts\/226\/revisions"}],"predecessor-version":[{"id":229,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/posts\/226\/revisions\/229"}],"wp:attachment":[{"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/media?parent=226"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/categories?post=226"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.grumpyland.com\/blog\/wp-json\/wp\/v2\/tags?post=226"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}