CentOS - May 2015 - appdynamics php agent prevented by SELinux

>
> If rpm is configured for _that_ location of log files, I would remove the
> repository this rpm comes from from configuration and will remember to
> never-never ever use that repository for anything.
>
> Just my $0.02
>
Yeah I completely get where you're coming from there. However it's not
an
RPM from a repo. I downloaded the rpm from the appdynamics site itself.
While it may be easy to say "well then just don't use
appdynamics"!  That's
not a luxury I have. My company uses it and I need to get up to speed on
how to work with it. So that's why I'm trying out this experiment.

Thanks,
Tim

On Mon, May 11, 2015 at 11:22 AM, Valeri Galtsev <galtsev at
kicp.uchicago.edu>
wrote:
>
> On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote:
> >>
> >> That's a rather odd (personally, I think bad) place for a log
(or
> >> even logfile lock) and I'm not at all surprised that selinux
is
> >> keeping your application from writing there. I would check to see
if
> >> there is a setup/configuration option for your application to put
> >> the log files and related in a more standard location (/var/log,
> >> /var/run), where it is less likely to run into an issue.
> >
> >
> > Yeah I agree that it's an unusual place to store log files.
However I'm
> > not
> > aware of any way to change that location since it's an RPM
install.
>
> If rpm is configured for _that_ location of log files, I would remove the
> repository this rpm comes from from configuration and will remember to
> never-never ever use that repository for anything.
>
> Just my $0.02
>
> Valeri
>
> > Maybe
> > a
> > source install is possible. I'll do some googling.
> >
> >
> >>
> >> This isn't really a C7-specific issue/"problem".
> >
> >
> > Yeah that's right. I said that poorly. I had just been dealing
with an
> > issue with systemctl priror to that which was due to it being a C7
> > machine.
> > But really only because I had been using systemctl.
> >
> > What I'm most curious about is how Apache is reporting SELinux
problems
> > whether or not SELinux is enabled. Like I said earlier, if I have
SELinux
> > set to off, you still see those kind of messages relating to SELinux
when
> > you do a status on httpd.
> >
> > Odd.  One thing I did try was to do a restorecon -R -v
> > /usr/lib/appdynamics-php5/.
> >
> > Since it might not be easy to change paths I was hoping to find a way
to
> > solve this using SELinux.. Does anyone else have any suggestions on
how
> to
> > solve this?
> >
> > Thanks,
> > Tim
> >
> > On Sun, May 10, 2015 at 10:20 PM, Richard <
> > lists-centos at listmail.innovate.net> wrote:
> >
> >>
> >>
> >> ------------ Original Message ------------
> >> > Date: Sunday, May 10, 2015 09:02:11 PM -0400
> >> > From: Tim Dunphy <bluethundr at gmail.com>
> >> >
> >> > Hey guys,
> >> >
> >> > I've got another C7 problem I was hoping to solve. I
> >> > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1
host.
> >> >
> >> > It's failing to communicate with it's controller on
another host.
> >> > And this is the interesting part. Whether or not I have
SELinux
> >> > enabled, I have apache reporting SELinux problems.
> >> >
> >> > [root at web1:~] #getenforce
> >> > Permissive
> >> >
> >> > May 10 20:47:56 web1 python[25735]: SELinux is preventing
> >> > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write
access on
> >> > the file /usr/lib/appdynamics-php5/logs/agent.log.lck.
> >> >
> >> >                                     *****  Plugin catchall
(100.
> >>
> >> That's a rather odd (personally, I think bad) place for a log
(or
> >> even logfile lock) and I'm not at all surprised that selinux
is
> >> keeping your application from writing there. I would check to see
if
> >> there is a setup/configuration option for your application to put
> >> the log files and related in a more standard location (/var/log,
> >> /var/run), where it is less likely to run into an issue.
> >>
> >> This isn't really a C7-specific issue/"problem".
> >>
> >>
> >> _______________________________________________
> >> CentOS mailing list
> >> CentOS at centos.org
> >> http://lists.centos.org/mailman/listinfo/centos
> >>
> >
> >
> >
> > --
> > GPG me!!
> >
> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> > _______________________________________________
> > CentOS mailing list
> > CentOS at centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> >
>
>
> ++++++++++++++++++++++++++++++++++++++++
> Valeri Galtsev
> Sr System Administrator
> Department of Astronomy and Astrophysics
> Kavli Institute for Cosmological Physics
> University of Chicago
> Phone: 773-702-4247
> ++++++++++++++++++++++++++++++++++++++++
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B

On Mon, May 11, 2015 10:38 am, Tim Dunphy wrote:
>>
>> If rpm is configured for _that_ location of log files, I would remove
>> the
>> repository this rpm comes from from configuration and will remember to
>> never-never ever use that repository for anything.
>>
>> Just my $0.02
>>
>
> Yeah I completely get where you're coming from there. However it's
not an
> RPM from a repo. I downloaded the rpm from the appdynamics site itself.
> While it may be easy to say "well then just don't use
appdynamics"!
> That's
> not a luxury I have. My company uses it and I need to get up to speed on
> how to work with it. So that's why I'm trying out this experiment.
OK, then this is what I would do: create some benign place for that, say,

/opt/appdynamics

Then install rpm with "--root /opt/appdynamics" option. This will
force
rpm prepend all paths with "/opt/appdynamics". Instead of, say,
putting
something into /usr/lib, it will put this stuff into
/opt/appdynamics/usr/lib (and will create missing paths there when
necessary). So:

rpm -ivh --root /opt/appdynamics/ [your appdynamics rpm name].rpm

After that done, you may need to describe the paths to binaries, libraries
there, say, by adding for libraries:

echo "/opt/appdynamics" >> /etc/ld.so.conf
/sbin/ldconfig -v

and adding extra paths to, say, /etc/profile...

I hope, this helps.

Valeri
>
> Thanks,
> Tim
>
> On Mon, May 11, 2015 at 11:22 AM, Valeri Galtsev
> <galtsev at kicp.uchicago.edu>
> wrote:
>
>>
>> On Mon, May 11, 2015 9:47 am, Tim Dunphy wrote:
>> >>
>> >> That's a rather odd (personally, I think bad) place for a
log (or
>> >> even logfile lock) and I'm not at all surprised that
selinux is
>> >> keeping your application from writing there. I would check to
see if
>> >> there is a setup/configuration option for your application to
put
>> >> the log files and related in a more standard location
(/var/log,
>> >> /var/run), where it is less likely to run into an issue.
>> >
>> >
>> > Yeah I agree that it's an unusual place to store log files.
However
>> I'm
>> > not
>> > aware of any way to change that location since it's an RPM
install.
>>
>> If rpm is configured for _that_ location of log files, I would remove
>> the
>> repository this rpm comes from from configuration and will remember to
>> never-never ever use that repository for anything.
>>
>> Just my $0.02
>>
>> Valeri
>>
>> > Maybe
>> > a
>> > source install is possible. I'll do some googling.
>> >
>> >
>> >>
>> >> This isn't really a C7-specific issue/"problem".
>> >
>> >
>> > Yeah that's right. I said that poorly. I had just been dealing
with an
>> > issue with systemctl priror to that which was due to it being a C7
>> > machine.
>> > But really only because I had been using systemctl.
>> >
>> > What I'm most curious about is how Apache is reporting SELinux
>> problems
>> > whether or not SELinux is enabled. Like I said earlier, if I have
>> SELinux
>> > set to off, you still see those kind of messages relating to
SELinux
>> when
>> > you do a status on httpd.
>> >
>> > Odd.  One thing I did try was to do a restorecon -R -v
>> > /usr/lib/appdynamics-php5/.
>> >
>> > Since it might not be easy to change paths I was hoping to find a
way
>> to
>> > solve this using SELinux.. Does anyone else have any suggestions
on
>> how
>> to
>> > solve this?
>> >
>> > Thanks,
>> > Tim
>> >
>> > On Sun, May 10, 2015 at 10:20 PM, Richard <
>> > lists-centos at listmail.innovate.net> wrote:
>> >
>> >>
>> >>
>> >> ------------ Original Message ------------
>> >> > Date: Sunday, May 10, 2015 09:02:11 PM -0400
>> >> > From: Tim Dunphy <bluethundr at gmail.com>
>> >> >
>> >> > Hey guys,
>> >> >
>> >> > I've got another C7 problem I was hoping to solve. I
>> >> > installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a
C7.1 host.
>> >> >
>> >> > It's failing to communicate with it's controller
on another host.
>> >> > And this is the interesting part. Whether or not I have
SELinux
>> >> > enabled, I have apache reporting SELinux problems.
>> >> >
>> >> > [root at web1:~] #getenforce
>> >> > Permissive
>> >> >
>> >> > May 10 20:47:56 web1 python[25735]: SELinux is preventing
>> >> > /usr/lib/appdynamics-php5/proxy/jre/bin/java from write
access on
>> >> > the file /usr/lib/appdynamics-php5/logs/agent.log.lck.
>> >> >
>> >> >                                     *****  Plugin
catchall (100.
>> >>
>> >> That's a rather odd (personally, I think bad) place for a
log (or
>> >> even logfile lock) and I'm not at all surprised that
selinux is
>> >> keeping your application from writing there. I would check to
see if
>> >> there is a setup/configuration option for your application to
put
>> >> the log files and related in a more standard location
(/var/log,
>> >> /var/run), where it is less likely to run into an issue.
>> >>
>> >> This isn't really a C7-specific issue/"problem".
>> >>
>> >>
>> >> _______________________________________________
>> >> CentOS mailing list
>> >> CentOS at centos.org
>> >> http://lists.centos.org/mailman/listinfo/centos
>> >>
>> >
>> >
>> >
>> > --
>> > GPG me!!
>> >
>> > gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>> > _______________________________________________
>> > CentOS mailing list
>> > CentOS at centos.org
>> > http://lists.centos.org/mailman/listinfo/centos
>> >
>>
>>
>> ++++++++++++++++++++++++++++++++++++++++
>> Valeri Galtsev
>> Sr System Administrator
>> Department of Astronomy and Astrophysics
>> Kavli Institute for Cosmological Physics
>> University of Chicago
>> Phone: 773-702-4247
>> ++++++++++++++++++++++++++++++++++++++++
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>
>
> --
> GPG me!!
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Tim Dunphy wrote:
>>
>> If rpm is configured for _that_ location of log files, I would remove
>> the
>> repository this rpm comes from from configuration and will remember to
>> never-never ever use that repository for anything.
>>
>> Just my $0.02
>
> Yeah I completely get where you're coming from there. However it's
not an
> RPM from a repo. I downloaded the rpm from the appdynamics site itself.
> While it may be easy to say "well then just don't use
appdynamics"!
> That's not a luxury I have. My company uses it and I need to get up to
speed on
> how to work with it. So that's why I'm trying out this experiment.
No, that's called "bug report", or "enhancement
request".

      mark "and is done by amateurs, or 'subject matter experts',
who
             think they know how to do the computer side...."

Well, I was having a heck of a time with the rpm install in terms of
customizing the install directory.

So I thought the easy way out might be to go for a source install. Which I
tried and this was the output from the install:

[root at web1:/opt/AppDynamics/appdynamics-php-agent] #./install.sh
appd.jokefire.com 443 beta.jokefire.com "Web Front End"
web1.jokefire.com
Install script for AppDynamics PHP Agent
4.0.5.0GA.8351.c72adcc398473f98f9cb976a652747d94c617ec9
Found PHP installation in /bin

  Detected PHP Version:
  PHP 5.4.40 (cli) (built: Apr 15 2015 15:44:44)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies

PHP version id:            5.4
PHP extensions directory:  /usr/lib64/php/modules
PHP ini directory:         /etc/php.d
Controller Host:           appd.mydomain.com
Controller Port:           443
Application Name:          beta.mydomain.com
Tier Name:                 Web Front End
Node Name:                 web1.mydomain.com
Account Name:
Access Key:
SSL Enabled:               false
HTTP Proxy Host:
HTTP Proxy Port:
HTTP Proxy User:
HTTP Proxy Password File:

Writing
'/opt/AppDynamics/appdynamics-php-agent/php/conf/appdynamics_agent_log4cxx.xml'
Writing '/etc/php.d/appdynamics_agent.ini'
Writing
'/opt/AppDynamics/appdynamics-php-agent/proxy/conf/controller-info.xml'
rm -f "/usr/lib64/php/modules/appdynamics_agent.so"
ln -s "/opt/AppDynamics/appdynamics-php-agent/php/modules/
appdynamics_agent_php_5.4.so"
"/usr/lib64/php/modules/appdynamics_agent.so"
Writing '/opt/AppDynamics/appdynamics-php-agent/proxy/runProxy'

That seemed a little more like it! At least it's out of the way and in a
directory that's a little easier to control - /opt. And also I was able to
specify some important information like what appd controller I was using
etc that I wasn't using a source install.

However, I found that really strange SELinux just followed me to the new
location. Sigh...

[root at web1:~] #systemctl status httpd
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Mon 2015-05-11 22:31:36 EDT; 26s ago
  Process: 14829 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
status=0/SUCCESS)
  Process: 25728 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
(code=exited, status=0/SUCCESS)
 Main PID: 14840 (httpd)
   Status: "Total requests: 19; Current requests/sec: 1.2; Current traffic:
614 B/sec"
   CGroup: /system.slice/httpd.service
           ??14840 /usr/sbin/httpd -DFOREGROUND
           ??14844 /usr/sbin/httpd -DFOREGROUND
           ??14845 /usr/sbin/httpd -DFOREGROUND
           ??14846 /usr/sbin/httpd -DFOREGROUND
           ??14848 /usr/sbin/httpd -DFOREGROUND
           ??14849 /usr/sbin/httpd -DFOREGROUND
           ??14850
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java -server -Xmx300m
-Xms50m -classpath
/opt/AppDynamics/appdynamics-php-agent/proxy/conf/logging:/opt/AppDynamics/appdynamics-p...
           ??14905 /usr/sbin/httpd -DFOREGROUND
           ??32210 /usr/bin/newrelic-daemon -A -s -p
/var/run/newrelic-daemon.pid -l /var/log/newrelic/newrelic-daemon.log -d
verbosedebug
           ??32211 /usr/bin/newrelic-daemon -A -s -p
/var/run/newrelic-daemon.pid -l /var/log/newrelic/newrelic-daemon.log -d
verbosedebug

May 11 22:31:38 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from unlink
access on the file testfile7644450607057334348.tmp.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:38 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on
the capability2 Unknown.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:39 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the
directory lib.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:39 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
libjzmq.so.0.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:39 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from setattr access on the
file libjzmq.so.0.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:40 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from setattr access on the
directory tp.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:40 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from setattr
access on the file runProxy.template.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:40 web1 python[14832]: SELinux is preventing /usr/sbin/httpd
from setattr access on the directory logging.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:43 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from write access
on the file agent.log.lck.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:43 web1 python[14832]: SELinux is preventing /usr/sbin/httpd
from append access on the file agent.log.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...

Why is that odd? Well mainly because I have SELinux off at the moment.

[root at web1:~] #getenforce 0
Permissive

I also tried a restorecon -R -v /opt/AppDynamics. But even after doing that
the SELinux errors in the output of systemctl status httpd are still
happening.

And if I take a look at the SELinux permissions on that directory, this is
what I have:

[root at web1:~] #ls -lZ /opt/ | grep -i appd
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   AppDynamics

[root at web1:~] #ls -lZ /opt/AppDynamics/
drwxrwxr-x. apache apache unconfined_u:object_r:usr_t:s0
appdynamics-php-agent
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   var

Anyone have any ideas on how I can beat this problem?

Thanks!!
Tim

On Mon, May 11, 2015 at 3:08 PM, <m.roth at 5-cent.us> wrote:
> Tim Dunphy wrote:
> >>
> >> If rpm is configured for _that_ location of log files, I would
remove
> >> the
> >> repository this rpm comes from from configuration and will
remember to
> >> never-never ever use that repository for anything.
> >>
> >> Just my $0.02
> >
> > Yeah I completely get where you're coming from there. However
it's not an
> > RPM from a repo. I downloaded the rpm from the appdynamics site
itself.
> > While it may be easy to say "well then just don't use
appdynamics"!
> > That's not a luxury I have. My company uses it and I need to get
up to
> speed on
> > how to work with it. So that's why I'm trying out this
experiment.
>
> No, that's called "bug report", or "enhancement
request".
>
>       mark "and is done by amateurs, or 'subject matter
experts', who
>              think they know how to do the computer side...."
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>


-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B