[CentOS] appdynamics php agent prevented by SELinux

Mon May 11 01:02:11 UTC 2015
Tim Dunphy <bluethundr at gmail.com>

Hey guys,

I've got another C7 problem I was hoping to solve. I
installed appdynamics-php-agent-4.0.5.0-1.x86_64 on a C7.1 host.

It's failing to communicate with it's controller on another host. And this
is the interesting part. Whether or not I have SELinux enabled, I have
apache reporting SELinux problems.

[root at web1:~] #getenforce
Permissive

May 10 20:47:56 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:47:56 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:47:57 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:47:58 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:48:00 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:48:01 web1 python[25735]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:49:16 web1 python[25952]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:49:17 web1 python[25952]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:53:14 web1 python[26609]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 10 20:53:15 web1 python[26609]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
/usr/lib/appdynamics-php5/logs/agent.log.lck.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...

So I enabled SELinux and started troubleshooting with audit2why.

[root at web1:~] #setenforce 1
[root at web1:~] #getenforce
Enforcing

And I'm seeing messages like these:

[root at web1:~] #grep appd /var/log/audit/audit.log | audit2why -w

type=AVC msg=audit(1431305820.292:393420): avc:  denied  { write } for
 pid=27289 comm="java"
path="/usr/lib/appdynamics-php5/logs/testfile1615417693000946121.tmp"
dev="vda" ino=965852 scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file

        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to
allow this access.

The part I am stuck on is using audit2allow to generate a loadable module
that can allow this.

Can anyone spare any pointers on how to do that?

Thanks!
Tim

-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B