SELinux tweaks for php-fpm and New Relic on CentOS 7

Updated at by

Minor things need adjusting after New Relic installation for it to work nicely with SELinux.

pidfile location

Default location for newrelic.daemon.pifile is /var/run/newrelic-daemon.pid. /var/run is typed var_run_t to which httpd_t has no access. Seen in /var/log/audit/audit.log as

type=AVC msg=audit(1): avc:  denied  { write } for  pid=1783 comm="newrelic-daemon" name="newrelic-daemon.pid" dev="tmpfs" ino=420511703 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file

Directory for php-fpm sockets provides a more friendly home for the pidfile.

$ semanage fcontext -l | grep php-fpm

/var/run/php-fpm(/.*)?                             all files          system_u:object_r:httpd_var_run_t:s0 

So change the newrelic.ini

newrelic.daemon.pidfile = "/var/run/php-fpm/newrelic-daemon.pid"

log directory context

Php-fpm cannot access log file shown in the systemd journal.

Aug 29 13:37:00 herpderp.mobile php-fpm[1217]: open /var/log/newrelic/newrelic-daemon.log: permission denied

Installation creates directory for the New Relic logs in /var/log/newrelic and it defaults var_log_t. Add file context rule for the log directory and restore contexts.

semanage fcontext -a -t httpd_log_t "/var/log/newrelic(/.*)?"
restorecon -R /var/log/newrelic

httpd_execmem

New Relic also needs to execmem shown in /var/log/audit/audit.log.

type=AVC msg=audit(2): avc:  denied  { execmem } for  pid=1217 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

Allow httpd_t to execmem via SELinux boolean.

setsebool -P httpd_execmem 1

And restart php-fpm and it should be good to go.


Leave a comment