[CentOS] appdynamics php agent prevented by SELinux

Tue May 12 02:39:56 UTC 2015
Tim Dunphy <bluethundr at gmail.com>

Well, I was having a heck of a time with the rpm install in terms of
customizing the install directory.

So I thought the easy way out might be to go for a source install. Which I
tried and this was the output from the install:

[root at web1:/opt/AppDynamics/appdynamics-php-agent] #./install.sh
appd.jokefire.com 443 beta.jokefire.com "Web Front End" web1.jokefire.com
Install script for AppDynamics PHP Agent
4.0.5.0GA.8351.c72adcc398473f98f9cb976a652747d94c617ec9
Found PHP installation in /bin

  Detected PHP Version:
  PHP 5.4.40 (cli) (built: Apr 15 2015 15:44:44)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2014 Zend Technologies

PHP version id:            5.4
PHP extensions directory:  /usr/lib64/php/modules
PHP ini directory:         /etc/php.d
Controller Host:           appd.mydomain.com
Controller Port:           443
Application Name:          beta.mydomain.com
Tier Name:                 Web Front End
Node Name:                 web1.mydomain.com
Account Name:
Access Key:
SSL Enabled:               false
HTTP Proxy Host:
HTTP Proxy Port:
HTTP Proxy User:
HTTP Proxy Password File:

Writing
'/opt/AppDynamics/appdynamics-php-agent/php/conf/appdynamics_agent_log4cxx.xml'
Writing '/etc/php.d/appdynamics_agent.ini'
Writing
'/opt/AppDynamics/appdynamics-php-agent/proxy/conf/controller-info.xml'
rm -f "/usr/lib64/php/modules/appdynamics_agent.so"
ln -s "/opt/AppDynamics/appdynamics-php-agent/php/modules/
appdynamics_agent_php_5.4.so" "/usr/lib64/php/modules/appdynamics_agent.so"
Writing '/opt/AppDynamics/appdynamics-php-agent/proxy/runProxy'

That seemed a little more like it! At least it's out of the way and in a
directory that's a little easier to control - /opt. And also I was able to
specify some important information like what appd controller I was using
etc that I wasn't using a source install.

However, I found that really strange SELinux just followed me to the new
location. Sigh...

[root at web1:~] #systemctl status httpd
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Mon 2015-05-11 22:31:36 EDT; 26s ago
  Process: 14829 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited,
status=0/SUCCESS)
  Process: 25728 ExecReload=/usr/sbin/httpd $OPTIONS -k graceful
(code=exited, status=0/SUCCESS)
 Main PID: 14840 (httpd)
   Status: "Total requests: 19; Current requests/sec: 1.2; Current traffic:
614 B/sec"
   CGroup: /system.slice/httpd.service
           ├─14840 /usr/sbin/httpd -DFOREGROUND
           ├─14844 /usr/sbin/httpd -DFOREGROUND
           ├─14845 /usr/sbin/httpd -DFOREGROUND
           ├─14846 /usr/sbin/httpd -DFOREGROUND
           ├─14848 /usr/sbin/httpd -DFOREGROUND
           ├─14849 /usr/sbin/httpd -DFOREGROUND
           ├─14850
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java -server -Xmx300m
-Xms50m -classpath
/opt/AppDynamics/appdynamics-php-agent/proxy/conf/logging:/opt/AppDynamics/appdynamics-p...
           ├─14905 /usr/sbin/httpd -DFOREGROUND
           ├─32210 /usr/bin/newrelic-daemon -A -s -p
/var/run/newrelic-daemon.pid -l /var/log/newrelic/newrelic-daemon.log -d
verbosedebug
           └─32211 /usr/bin/newrelic-daemon -A -s -p
/var/run/newrelic-daemon.pid -l /var/log/newrelic/newrelic-daemon.log -d
verbosedebug

May 11 22:31:38 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from unlink
access on the file testfile7644450607057334348.tmp.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:38 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from block_suspend access on
the capability2 Unknown.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:39 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the
directory lib.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:39 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from write access on the file
libjzmq.so.0.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:39 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from setattr access on the
file libjzmq.so.0.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:40 web1 python[14832]: SELinux is preventing
/usr/lib/appdynamics-php5/proxy/jre/bin/java from setattr access on the
directory tp.

                                    *****  Plugin catchall (100.
confidence) suggests   **************************...
May 11 22:31:40 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from setattr
access on the file runProxy.template.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:40 web1 python[14832]: SELinux is preventing /usr/sbin/httpd
from setattr access on the directory logging.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:43 web1 python[14832]: SELinux is preventing
/opt/AppDynamics/appdynamics-php-agent/proxy/jre/bin/java from write access
on the file agent.log.lck.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...
May 11 22:31:43 web1 python[14832]: SELinux is preventing /usr/sbin/httpd
from append access on the file agent.log.

                                    *****  Plugin catchall_labels (83.8
confidence) suggests   *******************...

Why is that odd? Well mainly because I have SELinux off at the moment.

[root at web1:~] #getenforce 0
Permissive

I also tried a restorecon -R -v /opt/AppDynamics. But even after doing that
the SELinux errors in the output of systemctl status httpd are still
happening.

And if I take a look at the SELinux permissions on that directory, this is
what I have:

[root at web1:~] #ls -lZ /opt/ | grep -i appd
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   AppDynamics

[root at web1:~] #ls -lZ /opt/AppDynamics/
drwxrwxr-x. apache apache unconfined_u:object_r:usr_t:s0
appdynamics-php-agent
drwxr-xr-x. apache apache unconfined_u:object_r:usr_t:s0   var

Anyone have any ideas on how I can beat this problem?

Thanks!!
Tim

On Mon, May 11, 2015 at 3:08 PM, <m.roth at 5-cent.us> wrote:

> Tim Dunphy wrote:
> >>
> >> If rpm is configured for _that_ location of log files, I would remove
> >> the
> >> repository this rpm comes from from configuration and will remember to
> >> never-never ever use that repository for anything.
> >>
> >> Just my $0.02
> >
> > Yeah I completely get where you're coming from there. However it's not an
> > RPM from a repo. I downloaded the rpm from the appdynamics site itself.
> > While it may be easy to say "well then just don't use appdynamics"!
> > That's not a luxury I have. My company uses it and I need to get up to
> speed on
> > how to work with it. So that's why I'm trying out this experiment.
>
> No, that's called "bug report", or "enhancement request".
>
>       mark "and is done by amateurs, or 'subject matter experts', who
>              think they know how to do the computer side...."
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B