Data stops reporting while using SELinux

Problem

Your agent stops reporting data when using New Relic's PHP agent. The operating system either includes SELinux by default or has been added to the environment for security purposes.

Solution

To resolve this issue, use any of these options:

Configure SELinux to allow New Relic to communicate

With SELinux, you can follow your own security policies to configure a custom policy to allow for communication. This process is outside the scope of New Relic Support, and we cannot make specific recommendations regarding your security configuration. However, the following links provide helpful starting points for learning about SELinux policy creation and modification:

Set SELinux to permissive mode

This may be used as a temporary measure to verify that SELinux is responsible for data not being reported.

Setting SELinux to permissive mode allows your services to operate without restrictions. The default setting is restored if you restart the server.

To set to permissive mode, use the command:

setenforce Permissive
Disable SELinux

New Relic does not actively encourage you to disable security software. However, for best results, configure SELinux to allow New Relic to function fully.

If you decide that disabling SELinux is the right decision for your server, use the following steps to permanently disable SELinux:

  1. Edit the SELinux sysconfig file using this command:

    vi /etc/sysconfig/selinux
  2. Find the SELINUX= setting and change it to:

    SELINUX=disabled
  3. Restart your server in order for the setting to take effect.

Cause

The agent's PHP extension and daemon communicate by default through /tmp/.newrelic.sock (Unix socket). If SELinux is not configured to allow the PHP extension and daemon to communicate, this will prevent these two agent components from communicating with each other when SELinux is set to enforcing mode.

In some cases, SELinux can prevent the daemon from starting altogether. Verifying the PHP daemon may be a necessary troubleshooting step when diagnosing SELinux issues.

SELinux is a security software designed to limit the communication of processes on your environment. SELinux is a powerful tool in server security. As such, you should implement and configure it to suit your own server environment.

New Relic does not influence decisions on how to configure your server security or processes you allow to run. We are not responsible for security decisions for your software. You should review your configuration settings to make sure they comply with your own security policies before implementing.

For more help

Recommendations for learning more: