Data stops reporting while using SELinux

Problem

Your agent stops reporting data when using New Relic's PHP agent on an operating system which either includes SELinux by default or has been added to the environment for security purposes.

Cause

New Relic does not influence decisions on how to configure your server security or processes you allow to run. We are not responsible for the security decisions for your software and they should be reviewed as meeting your own security policies before implementing.

The agent's PHP extension and daemon communicate by default via /tmp/.newrelic.sock (Unix socket). SELinux, if not configured to allow the extension and daemon communicate, will prevent those two agent components from communicating with each other when SELinux is set to Enforcing mode.

SELinux is a security software designed to limit the communication of processes on your environment. SELinux is a powerful tool in server security. As such, it should be implemented and configured to suit your own server environment.

Solution

To resolve this issue, there are 3 options:

Configure SELinux to allow New Relic to communicate

With SELinux, you can configure a custom policy to allow for communication. This process, however, is outside of the scope of New Relic support and should be handled by your own security policies.

The necessary steps are available on the internet and are easily located by searching for "SELinux policy module creation."

Set SELinux to permissive mode

This may be used as a temporary measure to verify that SELinux is responsible for data not being reported.

Setting SELinux to permissive mode allows your services to operate without restrictions. The default setting is restored if you restart the server.

To set to permissive mode, use the command:

setenforce Permissive
Disable SELinux

New Relic does not actively encourage disabling security software and configuring SELinux to allow New Relic to function fully is the optimal decision.

If you decide that disabling SELinux is the right decision for your server, use the following steps to permanently disable SELinux:

  1. Edit the SELinux sysconfig file using this command:

    vi /etc/sysconfig/selinux
    
  2. Find the SELINUX= setting and change it to:

    SELINUX=disabled
  3. Restart your server in order for the setting to take effect.

For more help

Join the discussion about PHP in the New Relic Online Technical Community! The Technical Community is a public platform to discuss and troubleshoot your New Relic toolset.

If you need additional help, get support at support.newrelic.com.