Ah… selinux, always getting in the way of things…
SELinux doesn’t necessarily have all the proper rules, so often you’d need to adjust it yourself. This is a tutorial of how to do that with NewRelic as an example (which I just had problem with after updating…). You can replace “newrelic” and “newrelic-daemon” to your needs.
All of this is in root.
- Get policycoreutils. This is the only installation you’ll need.
For CentOS / RHEL 5:yum -y install policycoreutils
For version 6 and 7:
yum -y install policycoreutils-python
- Set selinux to permissive for a moment:
setenforce 0
- Restart the service that’s getting blocked, so that it will work properly, for example:
service httpd restart (systemctl for 7)
- Then we can use audit2allow to create a set of rules that it requires. SELinux creates a log of stuff that were blocked in audit.log, we’ll look in that log to see what was blocked and then allow it.
grep newrelic /var/log/audit/audit.log | audit2allow -m newrelic-daemon > newrelic-daemon.te
- The above will create a newrelic-daemon.te file for you to review. Check that it’s what you want. The -m option creates an output file. Next, we’re going to use -M option to create a module package that can be loaded.
-
grep newrelic /var/log/audit/audit.log | audit2allow -M newrelic-daemon
- It probably told you just now what to do next. Do it:
semodule -i newrelic-daemon.pp
That will load the new profile to selinux.
- Re-enable selinux:
setenforce 1
- Re-start the service:
service httpd restart (systemctl for 7)
- You should check that everything is still working. And if it is, great! All done.
You can also save the .te file for later. You can do that by calling:
make -f /usr/share/selinux/strict/include/Makefile newrelic-daemon.pp semodule -i newrelic-daemon.pp