Hey guys,
I've got another C7 problem I was hoping to solve. I
installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host.
It's failing to communicate with it's controller on another host. And
this
is the interesting part. Whether or not I have SELinux enabled, I have
apache reporting SELinux problems.
[root at web1:~] #getenforce
Permissive
May 10 20:47:56 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:47:56 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:47:57 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:47:58 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:48:00 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:48:01 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:49:16 web1 python[25952]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:49:17 web1 python[25952]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:53:14 web1 python[26609]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
May 10 20:53:15 web1 python[26609]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.
***** Plugin catchall (100.
confidence) suggests **************************...
So I enabled SELinux and started troubleshooting with audit2why.
[root at web1:~] #setenforce 1
[root at web1:~] #getenforce
Enforcing
And I'm seeing messages like these:
[root at web1:~] #grep appd /var/log/audit/audit.log | audit2why -w
type=AVC msg=audit(1431305820.292:393420): avc: denied { write } for
pid=27289 comm="java"
path="/usr/lib/appdynamics-php5/logs/testfile1615417693000946121.tmp"
dev="vda" ino=965852 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to
allow this access.
The part I am stuck on is using audit2allow to generate a loadable module
that can allow this.
Can anyone spare any pointers on how to do that?
Thanks!
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
------------ Original Message ------------> Date: Sunday, May 10, 2015 09:02:11 PM -0400 > From: Tim Dunphy <bluethundr at gmail.com> > > Hey guys, > > I've got another C7 problem I was hoping to solve. I > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. > > It's failing to communicate with it's controller on another host. > And this is the interesting part. Whether or not I have SELinux > enabled, I have apache reporting SELinux problems. > > [root at web1:~] #getenforce > Permissive > > May 10 20:47:56 web1 python[25735]: SELinux is preventing > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. > > ***** Plugin catchall (100.That's a rather odd (personally, I think bad) place for a log (or even logfile lock) and I'm not at all surprised that selinux is keeping your application from writing there. I would check to see if there is a setup/configuration option for your application to put the log files and related in a more standard location (/var/log, /var/run), where it is less likely to run into an issue. This isn't really a C7-specific issue/"problem".
> > That's a rather odd (personally, I think bad) place for a log (or > even logfile lock) and I'm not at all surprised that selinux is > keeping your application from writing there. I would check to see if > there is a setup/configuration option for your application to put > the log files and related in a more standard location (/var/log, > /var/run), where it is less likely to run into an issue.Yeah I agree that it's an unusual place to store log files. However I'm not aware of any way to change that location since it's an RPM install. Maybe a source install is possible. I'll do some googling.> > This isn't really a C7-specific issue/"problem".Yeah that's right. I said that poorly. I had just been dealing with an issue with systemctl priror to that which was due to it being a C7 machine. But really only because I had been using systemctl. What I'm most curious about is how Apache is reporting SELinux problems whether or not SELinux is enabled. Like I said earlier, if I have SELinux set to off, you still see those kind of messages relating to SELinux when you do a status on httpd. Odd. One thing I did try was to do a restorecon -R -v /usr/lib/appdynamics-php5/. Since it might not be easy to change paths I was hoping to find a way to solve this using SELinux.. Does anyone else have any suggestions on how to solve this? Thanks, Tim On Sun, May 10, 2015 at 10:20 PM, Richard < lists-centos at listmail.innovate.net> wrote:> > > ------------ Original Message ------------ > > Date: Sunday, May 10, 2015 09:02:11 PM -0400 > > From: Tim Dunphy <bluethundr at gmail.com> > > > > Hey guys, > > > > I've got another C7 problem I was hoping to solve. I > > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host. > > > > It's failing to communicate with it's controller on another host. > > And this is the interesting part. Whether or not I have SELinux > > enabled, I have apache reporting SELinux problems. > > > > [root at web1:~] #getenforce > > Permissive > > > > May 10 20:47:56 web1 python[25735]: SELinux is preventing > > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on > > the file /usr/lib/appdynamics-php5/logs/agent.log.lck. > > > > ***** Plugin catchall (100. > > That's a rather odd (personally, I think bad) place for a log (or > even logfile lock) and I'm not at all surprised that selinux is > keeping your application from writing there. I would check to see if > there is a setup/configuration option for your application to put > the log files and related in a more standard location (/var/log, > /var/run), where it is less likely to run into an issue. > > This isn't really a C7-specific issue/"problem". > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >-- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B