[CentOS] appdynamics php agent prevented by SELinux
Hey guys, I've got another C7 problem I was hoping to solve. I installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. It's failing to communicate with it's controller on another host. And this is the interesting part. Whether or not I have SELinux enabled, I have apache reporting SELinux problems. [root@web1:~] #getenforce Permissive May 10 20:47:56 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:47:56 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:47:57 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:47:58 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:48:00 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:48:01 web1 python[25735]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:49:16 web1 python[25952]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:49:17 web1 python[25952]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:53:14 web1 python[26609]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... May 10 20:53:15 web1 python[26609]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file /usr/lib/appdynamics-php5/logs/agent.log.lck. * Plugin catchall (100. confidence) suggests **... So I enabled SELinux and started troubleshooting with audit2why. [root@web1:~] #setenforce 1 [root@web1:~] #getenforce Enforcing And I'm seeing messages like these: [root@web1:~] #grep appd /var/log/audit/audit.log | audit2why -w type=AVC msg=audit(1431305820.292:393420): avc: denied { write } for pid=27289 comm="java" path="/usr/lib/appdynamics-php5/logs/testfile1615417693000946121.tmp" dev="vda" ino=965852 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file Was caused by: Missing type enforcement (TE) allow rule. You can use audit2allow to generate a loadable module to allow this access. The part I am stuck on is using audit2allow to generate a loadable module that can allow this. Can anyone spare any pointers on how to do that? Thanks! Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
Original Message > Date: Sunday, May 10, 2015 09:02:11 PM -0400 > From: Tim Dunphy > > Hey guys, > > I've got another C7 problem I was hoping to solve. I > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. > > It's failing to communicate with it's controller on another host. > And this is the interesting part. Whether or not I have SELinux > enabled, I have apache reporting SELinux problems. > > [root@web1:~] #getenforce > Permissive > > May 10 20:47:56 web1 python[25735]: SELinux is preventing > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. > > * Plugin catchall (100. That's a rather odd (personally, I think bad) place for a log (or even logfile lock) and I'm not at all surprised that selinux is keeping your application from writing there. I would check to see if there is a setup/configuration option for your application to put the log files and related in a more standard location (/var/log, /var/run), where it is less likely to run into an issue. This isn't really a C7-specific issue/"problem". ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
> > That's a rather odd (personally, I think bad) place for a log (or > even logfile lock) and I'm not at all surprised that selinux is > keeping your application from writing there. I would check to see if > there is a setup/configuration option for your application to put > the log files and related in a more standard location (/var/log, > /var/run), where it is less likely to run into an issue. Yeah I agree that it's an unusual place to store log files. However I'm not aware of any way to change that location since it's an RPM install. Maybe a source install is possible. I'll do some googling. > > This isn't really a C7-specific issue/"problem". Yeah that's right. I said that poorly. I had just been dealing with an issue with systemctl priror to that which was due to it being a C7 machine. But really only because I had been using systemctl. What I'm most curious about is how Apache is reporting SELinux problems whether or not SELinux is enabled. Like I said earlier, if I have SELinux set to off, you still see those kind of messages relating to SELinux when you do a status on httpd. Odd. One thing I did try was to do a restorecon -R -v /usr/lib/appdynamics-php5/. Since it might not be easy to change paths I was hoping to find a way to solve this using SELinux.. Does anyone else have any suggestions on how to solve this? Thanks, Tim On Sun, May 10, 2015 at 10:20 PM, Richard < lists-cen...@listmail.innovate.net> wrote: > > > Original Message > > Date: Sunday, May 10, 2015 09:02:11 PM -0400 > > From: Tim Dunphy > > > > Hey guys, > > > > I've got another C7 problem I was hoping to solve. I > > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. > > > > It's failing to communicate with it's controller on another host. > > And this is the interesting part. Whether or not I have SELinux > > enabled, I have apache reporting SELinux problems. > > > > [root@web1:~] #getenforce > > Permissive > > > > May 10 20:47:56 web1 python[25735]: SELinux is preventing > > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on > > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. > > > > * Plugin catchall (100. > > That's a rather odd (personally, I think bad) place for a log (or > even logfile lock) and I'm not at all surprised that selinux is > keeping your application from writing there. I would check to see if > there is a setup/configuration option for your application to put > the log files and related in a more standard location (/var/log, > /var/run), where it is less likely to run into an issue. > > This isn't really a C7-specific issue/"problem". > > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote: >> >> That's a rather odd (personally, I think bad) place for a log (or >> even logfile lock) and I'm not at all surprised that selinux is >> keeping your application from writing there. I would check to see if >> there is a setup/configuration option for your application to put >> the log files and related in a more standard location (/var/log, >> /var/run), where it is less likely to run into an issue. > > > Yeah I agree that it's an unusual place to store log files. However I'm > not > aware of any way to change that location since it's an RPM install. If rpm is configured for _that_ location of log files, I would remove the repository this rpm comes from from configuration and will remember to never-never ever use that repository for anything. Just my $0.02 Valeri > Maybe > a > source install is possible. I'll do some googling. > > >> >> This isn't really a C7-specific issue/"problem". > > > Yeah that's right. I said that poorly. I had just been dealing with an > issue with systemctl priror to that which was due to it being a C7 > machine. > But really only because I had been using systemctl. > > What I'm most curious about is how Apache is reporting SELinux problems > whether or not SELinux is enabled. Like I said earlier, if I have SELinux > set to off, you still see those kind of messages relating to SELinux when > you do a status on httpd. > > Odd. One thing I did try was to do a restorecon -R -v > /usr/lib/appdynamics-php5/. > > Since it might not be easy to change paths I was hoping to find a way to > solve this using SELinux.. Does anyone else have any suggestions on how to > solve this? > > Thanks, > Tim > > On Sun, May 10, 2015 at 10:20 PM, Richard < > lists-cen...@listmail.innovate.net> wrote: > >> >> >> Original Message >> > Date: Sunday, May 10, 2015 09:02:11 PM -0400 >> > From: Tim Dunphy >> > >> > Hey guys, >> > >> > I've got another C7 problem I was hoping to solve. I >> > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. >> > >> > It's failing to communicate with it's controller on another host. >> > And this is the interesting part. Whether or not I have SELinux >> > enabled, I have apache reporting SELinux problems. >> > >> > [root@web1:~] #getenforce >> > Permissive >> > >> > May 10 20:47:56 web1 python[25735]: SELinux is preventing >> > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on >> > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. >> > >> > * Plugin catchall (100. >> >> That's a rather odd (personally, I think bad) place for a log (or >> even logfile lock) and I'm not at all surprised that selinux is >> keeping your application from writing there. I would check to see if >> there is a setup/configuration option for your application to put >> the log files and related in a more standard location (/var/log, >> /var/run), where it is less likely to run into an issue. >> >> This isn't really a C7-specific issue/"problem". >> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> http://lists.centos.org/mailman/listinfo/centos >> > > > > -- > GPG me!! > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
> > If rpm is configured for _that_ location of log files, I would remove the > repository this rpm comes from from configuration and will remember to > never-never ever use that repository for anything. > > Just my $0.02 > Yeah I completely get where you're coming from there. However it's not an RPM from a repo. I downloaded the rpm from the appdynamics site itself. While it may be easy to say "well then just don't use appdynamics"! That's not a luxury I have. My company uses it and I need to get up to speed on how to work with it. So that's why I'm trying out this experiment. Thanks, Tim On Mon, May 11, 2015 at 11:22 AM, Valeri Galtsev wrote: > > On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote: > >> > >> That's a rather odd (personally, I think bad) place for a log (or > >> even logfile lock) and I'm not at all surprised that selinux is > >> keeping your application from writing there. I would check to see if > >> there is a setup/configuration option for your application to put > >> the log files and related in a more standard location (/var/log, > >> /var/run), where it is less likely to run into an issue. > > > > > > Yeah I agree that it's an unusual place to store log files. However I'm > > not > > aware of any way to change that location since it's an RPM install. > > If rpm is configured for _that_ location of log files, I would remove the > repository this rpm comes from from configuration and will remember to > never-never ever use that repository for anything. > > Just my $0.02 > > Valeri > > > Maybe > > a > > source install is possible. I'll do some googling. > > > > > >> > >> This isn't really a C7-specific issue/"problem". > > > > > > Yeah that's right. I said that poorly. I had just been dealing with an > > issue with systemctl priror to that which was due to it being a C7 > > machine. > > But really only because I had been using systemctl. > > > > What I'm most curious about is how Apache is reporting SELinux problems > > whether or not SELinux is enabled. Like I said earlier, if I have SELinux > > set to off, you still see those kind of messages relating to SELinux when > > you do a status on httpd. > > > > Odd. One thing I did try was to do a restorecon -R -v > > /usr/lib/appdynamics-php5/. > > > > Since it might not be easy to change paths I was hoping to find a way to > > solve this using SELinux.. Does anyone else have any suggestions on how > to > > solve this? > > > > Thanks, > > Tim > > > > On Sun, May 10, 2015 at 10:20 PM, Richard < > > lists-cen...@listmail.innovate.net> wrote: > > > >> > >> > >> Original Message > >> > Date: Sunday, May 10, 2015 09:02:11 PM -0400 > >> > From: Tim Dunphy > >> > > >> > Hey guys, > >> > > >> > I've got another C7 problem I was hoping to solve. I > >> > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. > >> > > >> > It's failing to communicate with it's controller on another host. > >> > And this is the interesting part. Whether or not I have SELinux > >> > enabled, I have apache reporting SELinux problems. > >> > > >> > [root@web1:~] #getenforce > >> > Permissive > >> > > >> > May 10 20:47:56 web1 python[25735]: SELinux is preventing > >> > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on > >> > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. > >> > > >> > * Plugin catchall (100. > >> > >> That's a rather odd (personally, I think bad) place for a log (or > >> even logfile lock) and I'm not at all surprised that selinux is > >> keeping your application from writing there. I would check to see if > >> there is a setup/configuration option for your application to put > >> the log files and related in a more standard location (/var/log, > >> /var/run), where it is less likely to run into an issue. > >> > >> This isn't really a C7-specific issue/"problem". > >> > >> > >> ___ > >> CentOS mailing list > >> CentOS@centos.org > >> http://lists.centos.org/mailman/listinfo/centos > >> > > > > > > > > -- > > GPG me!! > > > > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B > > ___ > > CentOS mailing list > > CentOS@centos.org > > http://lists.centos.org/mailman/listinfo/centos > > > > > > Valeri Galtsev > Sr System Administrator > Department of Astronomy and Astrophysics > Kavli Institute for Cosmological Physics > University of Chicago > Phone: 773-702-4247 > > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
Am 11.05.2015 um 16:47 schrieb Tim Dunphy : >> That's a rather odd (personally, I think bad) place for a log (or >> even logfile lock) and I'm not at all surprised that selinux is >> keeping your application from writing there. I would check to see if >> there is a setup/configuration option for your application to put >> the log files and related in a more standard location (/var/log, >> /var/run), where it is less likely to run into an issue. > > > Yeah I agree that it's an unusual place to store log files. However I'm not > aware of any way to change that location since it's an RPM install. Maybe a > source install is possible. I'll do some googling. > > >> >> This isn't really a C7-specific issue/"problem". > > > Yeah that's right. I said that poorly. I had just been dealing with an > issue with systemctl priror to that which was due to it being a C7 machine. > But really only because I had been using systemctl. > > What I'm most curious about is how Apache is reporting SELinux problems > whether or not SELinux is enabled. Like I said earlier, if I have SELinux > set to off, you still see those kind of messages relating to SELinux when > you do a status on httpd. > > Odd. One thing I did try was to do a restorecon -R -v > /usr/lib/appdynamics-php5/. > > Since it might not be easy to change paths I was hoping to find a way to > solve this using SELinux.. Does anyone else have any suggestions on how to > solve this? what was mentioned was the run time configuration. Despite the install location some application allow to specify alternative argument, e.g. /usr/bin/mycomapp --logfile /var/log/mycomapp/mycomapp.log or via configuration file # grep LOGFILE /etc/mycomapp/mycomapp.conf LOGFILE=/var/log/mycomapp/mycomapp.log -- LF ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
On Mon, May 11, 2015 10:38 am, Tim Dunphy wrote: >> >> If rpm is configured for _that_ location of log files, I would remove >> the >> repository this rpm comes from from configuration and will remember to >> never-never ever use that repository for anything. >> >> Just my $0.02 >> > > Yeah I completely get where you're coming from there. However it's not an > RPM from a repo. I downloaded the rpm from the appdynamics site itself. > While it may be easy to say "well then just don't use appdynamics"! > That's > not a luxury I have. My company uses it and I need to get up to speed on > how to work with it. So that's why I'm trying out this experiment. OK, then this is what I would do: create some benign place for that, say, /opt/appdynamics Then install rpm with "--root /opt/appdynamics" option. This will force rpm prepend all paths with "/opt/appdynamics". Instead of, say, putting something into /usr/lib, it will put this stuff into /opt/appdynamics/usr/lib (and will create missing paths there when necessary). So: rpm -ivh --root /opt/appdynamics/ [your appdynamics rpm name].rpm After that done, you may need to describe the paths to binaries, libraries there, say, by adding for libraries: echo "/opt/appdynamics" >> /etc/ld.so.conf /sbin/ldconfig -v and adding extra paths to, say, /etc/profile... I hope, this helps. Valeri > > Thanks, > Tim > > On Mon, May 11, 2015 at 11:22 AM, Valeri Galtsev > > wrote: > >> >> On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote: >> >> >> >> That's a rather odd (personally, I think bad) place for a log (or >> >> even logfile lock) and I'm not at all surprised that selinux is >> >> keeping your application from writing there. I would check to see if >> >> there is a setup/configuration option for your application to put >> >> the log files and related in a more standard location (/var/log, >> >> /var/run), where it is less likely to run into an issue. >> > >> > >> > Yeah I agree that it's an unusual place to store log files. However >> I'm >> > not >> > aware of any way to change that location since it's an RPM install. >> >> If rpm is configured for _that_ location of log files, I would remove >> the >> repository this rpm comes from from configuration and will remember to >> never-never ever use that repository for anything. >> >> Just my $0.02 >> >> Valeri >> >> > Maybe >> > a >> > source install is possible. I'll do some googling. >> > >> > >> >> >> >> This isn't really a C7-specific issue/"problem". >> > >> > >> > Yeah that's right. I said that poorly. I had just been dealing with an >> > issue with systemctl priror to that which was due to it being a C7 >> > machine. >> > But really only because I had been using systemctl. >> > >> > What I'm most curious about is how Apache is reporting SELinux >> problems >> > whether or not SELinux is enabled. Like I said earlier, if I have >> SELinux >> > set to off, you still see those kind of messages relating to SELinux >> when >> > you do a status on httpd. >> > >> > Odd. One thing I did try was to do a restorecon -R -v >> > /usr/lib/appdynamics-php5/. >> > >> > Since it might not be easy to change paths I was hoping to find a way >> to >> > solve this using SELinux.. Does anyone else have any suggestions on >> how >> to >> > solve this? >> > >> > Thanks, >> > Tim >> > >> > On Sun, May 10, 2015 at 10:20 PM, Richard < >> > lists-cen...@listmail.innovate.net> wrote: >> > >> >> >> >> >> >> Original Message >> >> > Date: Sunday, May 10, 2015 09:02:11 PM -0400 >> >> > From: Tim Dunphy >> >> > >> >> > Hey guys, >> >> > >> >> > I've got another C7 problem I was hoping to solve. I >> >> > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. >> >> > >> >> > It's failing to communicate with it's controller on another host. >> >> > And this is the interesting part. Whether or not I have SELinux >> >> > enabled, I have apache reporting SELinux problems. >> >> > >> >> > [root@web1:~] #getenforce >> >> > Permissive >> >> > >> >> > May 10 20:47:56 web1 python[25735]: SELinux is preventing >> >> > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on >> >> > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. >> >> > >> >> > * Plugin catchall (100. >> >> >> >> That's a rather odd (personally, I think bad) place for a log (or >> >> even logfile lock) and I'm not at all surprised that selinux is >> >> keeping your application from writing there. I would check to see if >> >> there is a setup/configuration option for your application to put >> >> the log files and related in a more standard location (/var/log, >> >> /var/run), where it is less likely to run into an issue. >> >> >> >> This isn't really a C7-specific issue/"problem". >> >> >> >> >> >> ___ >> >> CentOS mailing list >> >> CentOS@centos.org >> >> http://lists.centos.org/mailman/listinfo/centos >> >> >> > >> > >> > >> > -- >> > GPG me!! >> > >
Re: [CentOS] appdynamics php agent prevented by SELinux
Tim Dunphy wrote: >> >> If rpm is configured for _that_ location of log files, I would remove >> the >> repository this rpm comes from from configuration and will remember to >> never-never ever use that repository for anything. >> >> Just my $0.02 > > Yeah I completely get where you're coming from there. However it's not an > RPM from a repo. I downloaded the rpm from the appdynamics site itself. > While it may be easy to say "well then just don't use appdynamics"! > That's not a luxury I have. My company uses it and I need to get up to speed on > how to work with it. So that's why I'm trying out this experiment. No, that's called "bug report", or "enhancement request". mark "and is done by amateurs, or 'subject matter experts', who think they know how to do the computer side" ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
Well, I was having a heck of a time with the rpm install in terms of customizing the install directory. So I thought the easy way out might be to go for a source install. Which I tried and this was the output from the install: [root@web1:/opt/AppDynamics/appdynamics-php-agent] #./install.sh appd.jokefire.com 443 beta.jokefire.com "Web Front End" web1.jokefire.com Install script for AppDynamics PHP Agent 4.0.5.0GA.8351.c72adcc398473f98f9cb976a652747d94c617ec9 Found PHP installation in /bin Detected PHP Version: PHP 5.4.40 (cli) (built: Apr 15 2015 15:44:44) Copyright (c) 1997-2014 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies PHP version id:5.4 PHP extensions directory: /usr/lib64/php/modules PHP ini directory: /etc/php.d Controller Host: appd.mydomain.com Controller Port: 443 Application Name: beta.mydomain.com Tier Name: Web Front End Node Name: web1.mydomain.com Account Name: Access Key: SSL Enabled: false HTTP Proxy Host: HTTP Proxy Port: HTTP Proxy User: HTTP Proxy Password File: Writing '/opt/AppDynamics/appdynamics-php-agent/php/conf/appdynamics_agent_log4cxx.xml' Writing '/etc/php.d/appdynamics_agent.ini' Writing '/opt/AppDynamics/appdynamics-php-agent/proxy/conf/controller-info.xml' rm -f "/usr/lib64/php/modules/appdynamics_agent.so" ln -s "/opt/AppDynamics/appdynamics-php-agent/php/modules/ appdynamics_agent_php_5.4.so" "/usr/lib64/php/modules/appdynamics_agent.so" Writing '/opt/AppDynamics/appdynamics-php-agent/proxy/runProxy' That seemed a little more like it! At least it's out of the way and in a directory that's a little easier to control - /opt. And also I was able to specify some important information like what appd controller I was using etc that I wasn't using a source install. However, I found that really strange SELinux just followed me to the new location. Sigh... [root@web1:~] #systemctl status httpd httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled) Active: active (running) since Mon 2015-05-11 22:31:36 EDT; 26s ago Process: 14829 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS) Process: 25728 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful (code=exited, status=0/SUCCESS) Main PID: 14840 (httpd) Status: "Total requests: 19; Current requests/sec: 1.2; Current traffic: 614 B/sec" CGroup: /system.slice/httpd.service ├─14840 /usr/sbin/httpd -DFOREGROUND ├─14844 /usr/sbin/httpd -DFOREGROUND ├─14845 /usr/sbin/httpd -DFOREGROUND ├─14846 /usr/sbin/httpd -DFOREGROUND ├─14848 /usr/sbin/httpd -DFOREGROUND ├─14849 /usr/sbin/httpd -DFOREGROUND ├─14850 /opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java -server -Xmx300m -Xms50m -classpath /opt/AppDynamics/appdynamics-php-agent/proxy/conf/logging:/opt/AppDynamics/appdynamics-p... ├─14905 /usr/sbin/httpd -DFOREGROUND ├─32210 /usr/bin/newrelic-daemon -A -s -p /var/run/newrelic-daemon.pid -l /var/log/newrelic/newrelic-daemon.log -d verbosedebug └─32211 /usr/bin/newrelic-daemon -A -s -p /var/run/newrelic-daemon.pid -l /var/log/newrelic/newrelic-daemon.log -d verbosedebug May 11 22:31:38 web1 python[14832]: SELinux is preventing /opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from unlink access on the file testfile7644450607057334348.tmp. * Plugin catchall_labels (83.8 confidence) suggests ***... May 11 22:31:38 web1 python[14832]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on the capability2 Unknown. * Plugin catchall (100. confidence) suggests **... May 11 22:31:39 web1 python[14832]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the directory lib. * Plugin catchall (100. confidence) suggests **... May 11 22:31:39 web1 python[14832]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file libjzmq.so.0. * Plugin catchall (100. confidence) suggests **... May 11 22:31:39 web1 python[14832]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from setattr access on the file libjzmq.so.0. * Plugin catchall (100. confidence) suggests **... May 11 22:31:40 web1 python[14832]: SELinux is preventing /usr/lib/appdynamics-php5/proxy/jre/bin/java from setattr access on the directory tp. * Plugin catchall (100. confidence) suggests **... May 11 22:31:40 web1 python[14832]: SELinux
Re: [CentOS] appdynamics php agent prevented by SELinux
> On 12 May 2015, at 03:39, Tim Dunphy wrote: >* Plugin catchall_labels (83.8 > confidence) suggests ***... > May 11 22:31:38 web1 python[14832]: SELinux is preventing > /usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on > the capability2 Unknown. > Why is that odd? Well mainly because I have SELinux off at the moment. > > [root@web1:~] #getenforce 0 > Permissive This means SELinux is ON in a kind of testing mode. It is only reporting what would be blocked and not "enforcing" anything. So the messages are basically informing you that you WILL have problems IF you enable enforcing mode. Checking AppDynamic PHP agent it does not support SELinux (which is insanely poor for the license cost!) so best you can do is ignore the messages. It may be better to contact their support channels for help too rather then here if you need any more. Disabling SELinux completely should stop the messages appearing completely, though I advise against anything but enforcing mode. Jason ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] appdynamics php agent prevented by SELinux
Hi Jason, > This means SELinux is ON in a kind of testing mode. It is only reporting > what would be blocked and not "enforcing" anything. So the messages are > basically informing you that you WILL have problems IF you enable enforcing > mode. > Checking AppDynamic PHP agent it does not support SELinux (which is > insanely poor for the license cost!) so best you can do is ignore the > messages. It may be better to contact their support channels for help too > rather then here if you need any more. > Disabling SELinux completely should stop the messages appearing > completely, though I advise against anything but enforcing mode OK thanks. That makes complete sense. I do plan on enabling SELinux enforcing mode soon! And I find it more than a little surprising that the appdynamics php agent won't support SELinux. I'll have to bring this up to them, we have a pretty big account with them. Thanks! Tim On Tue, May 12, 2015 at 1:47 AM, Jason Woods wrote: > > > On 12 May 2015, at 03:39, Tim Dunphy wrote: > >* Plugin catchall_labels (83.8 > > confidence) suggests ***... > > May 11 22:31:38 web1 python[14832]: SELinux is preventing > > /usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on > > the capability2 Unknown. > > > Why is that odd? Well mainly because I have SELinux off at the moment. > > > > [root@web1:~] #getenforce 0 > > Permissive > > This means SELinux is ON in a kind of testing mode. It is only reporting > what would be blocked and not "enforcing" anything. So the messages are > basically informing you that you WILL have problems IF you enable enforcing > mode. > > Checking AppDynamic PHP agent it does not support SELinux (which is > insanely poor for the license cost!) so best you can do is ignore the > messages. It may be better to contact their support channels for help too > rather then here if you need any more. > > Disabling SELinux completely should stop the messages appearing > completely, though I advise against anything but enforcing mode. > > Jason > ___ > CentOS mailing list > CentOS@centos.org > http://lists.centos.org/mailman/listinfo/centos > -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos