I found the solution for getting the New Relic APM Agent to run on a CentOS 7 system with SELinux Enforcing. The only SELinux modification you have to make is to change the context of the log file directory /var/log/newrelic. You can temporarily make these changes with the chcon command:
chcon -R -t httpd_log_t /var/log/newrelic/
Kill any running instances of newrelic-daemon. If you’re using New Relic’s recommended default setup, make sure that the file /etc/newrelic/newrelic.cfg does not exist. Verify that all required values in /etc/php.d/newrelic.ini are correct (especially the license key and the application name). Finally, restart httpd:
systemctl restart httpd
If that works, you should see output in both /var/log/newrelic/newrelic-daemon.log and /var/log/newrelic/php_agent.log. Now, make this file context change persistent, and verify the result:
semanage fcontext --add --type httpd_log_t "/var/log/newrelic(/.*)?" restorecon -RF /var/log/newrelic/ ls -laZ /var/log/newrelic/
When you restart Apache, it spawns the newrelic-daemon processes, which communicate with APM via the socket file /tmp/.newrelic.sock. You really don’t want to run the newrelic-daemon processes via systemd if you can avoid it. The resulting process tree should look like this:
systemctl status httpd ... CGroup: /system.slice/httpd.service ├─ 6150 /usr/sbin/httpd -DFOREGROUND ├─ 6157 /usr/bin/newrelic-daemon --agent --pidfile /var/run/newrelic-daemon.pid --logfile /var/log/newrelic/newrelic-daemon.log --port /tmp/.... ├─ 6162 /usr/sbin/httpd -DFOREGROUND ├─ 6163 /usr/sbin/httpd -DFOREGROUND ├─ 6164 /usr/sbin/httpd -DFOREGROUND ├─ 6165 /usr/sbin/httpd -DFOREGROUND ├─ 6166 /usr/sbin/httpd -DFOREGROUND ├─ 6168 /usr/bin/newrelic-daemon --agent --pidfile /var/run/newrelic-daemon.pid --logfile /var/log/newrelic/newrelic-daemon.log --port /tmp/.... ├─ 8539 /usr/sbin/httpd -DFOREGROUND └─15706 /usr/sbin/httpd -DFOREGROUND
Note that there is no separate daemon for APM or the PHP agent; there is just newrelic-daemon.
Non-Solutions
Here are things I tried that didn’t work. They may have worked in the past, but as of June 2018 they do not:
- Changing the SELinux context of the socket file, or moving it to a new location, is not necessary.
- Creating an SELinux policy module is not necessary.
The Rant
Now, a brief rant.It is irresponsible for New Relic to publish such poor documentation on allowing the New Relic agent to run on a system with SELinux Enforcing. Their documentation gives you three options:
- Leave SELlinux enforcing and Google it. I am not kidding; the documentation literally says, “The necessary steps are available on the internet and are easily located by searching for “SELinux policy module creation.”” You’ve paid for this product, and they’re telling you to search for your own solution. It’s especially pathetic because they are telling you to search for the wrong thing. NO MODULE IS REQUIRED!
- Set SELinux to Permissive – not at real option for any enterprise server
- Disable SELinux – not a real option for any enterprise server
To make it worse, back in 2016 a New Relic user politely brought a suggested solution to New Relic’s forums. They politely black-holed his suggestions, as far as I can tell. New Relic’s attitude towards SELinux is outdated and needs to change.
Thanks so much.
Thank you so much