Showing results for 
Show  only  | Search instead for 
Did you mean: 

SELinux Agent Install


I have installed a Web and a Java agent, the host and main web agent are visible. So far so good but I do not see  agents  from apache (the module) and Tomcat/Jboss. Am I doing something wrong? I have no SELinux error messages anymore.  Or is there a SELinux policy for Dynatrace Agents?


KR Henk Stobbe




Any information printed in the agent logs (you can find them in the agent installation directory)?

Certified Dynatrace Master, Dynatrace Partner -




Thx for your input issue is solved, there was no log (-;

I made a mistake using " " in the for Tomcat, 


KR Henk Stobbe




I've had to work with system engineers on getting Dynatrace to work with SELinux policies. As to what the policy rules are, I don't know, but, I know they had to make some sort of exception for Dynatrace agents. 

Dynatrace Mentor
Dynatrace Mentor


Is it possible to share this SELinux policy? I could be a good start for other customers.


Dynatrace Champion
Dynatrace Champion

I would love for someone to validate my SELinux dynatrace module.

Since I have a customer struggling with this issue and saw it mentioned lately in the forum, I thought I would try from scratch to get it working.  I know nothing about SELinux other than what I skimmed on the link given above, so feel free to correct me if my way is totally off base.

 Below are the steps I followed to get Apache httpd working with Dynatrace and SELinux running in Enforcing mode.

Using this link as my primary reference:, I performed the following steps:
1.     Installed dynatrace 6.1.0 on CentOS in /opt/dynatrace-6.1.0 with ownership dynatrace:dynatrace
2.     Set SELINUX=permissive and SELINUXTYPE=targeted in /etc/selinux/config
3.     Rebooted VM
4.     Started server, collector and web server agent
5.     Instrumented and started httpd (server httpd start) 
6.     Installed setroubleshoot package to get the "audit2allow" command
7.     Created a dynatrace module (cd /var/log/audit;audit2allow -M dynatrace < allow.log)
8.     Installed the dynatrace module (semodule -i dynatrace.pp)
9.     Set SELINUX=enforcing SELINUXTYPE=targeted in /etc/selinux/config
10.   Rebooted VM
11.   Started server, collector and web server agent
12.   started httpd (server httpd start)
I can share the resulting "dynatrace.te" and/or "dynatrace.pp" if anyone would like to try it out.
These are the contents of "dynatrace.te":

module dynatrace 1.0;

require {
type httpd_tmp_t;
type httpd_t;
type usr_t;
type port_t;
class capability { fowner fsetid };
class tcp_socket name_connect;
class file { write execute unlink create setattr };

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_tmp_t:file execute;

#!!!! This avc is allowed in the current policy
allow httpd_t port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t self:capability { fowner fsetid };

#!!!! This avc is allowed in the current policy
allow httpd_t usr_t:file { write create unlink setattr };

This way seems much simpler than the way documented here:  Web Server Agent SharedMemory Error but as I said before, I know next to nothing about SELinux, so any feedback would be welcome.


Dynatrace Champion
Dynatrace Champion

I worked with a customer today to get Apache working with the the version 6.1 dtwsagent in Linux with SELinux enabled.  My initial "dynatrace.pp" was missing one permission, but after we corrected it, things seem to start working fine.

The dyantrace.pp (compiled) and dynatrace.te (human readable) files are available here:

Just download the files, and run this command to add the module to SELinux:

semodule -i dynatrace.pp

If you make use of this technique, please let me know how it works for you via email (




I am working on two separate apache agent installations. One on 6.1 an one on version 6.2 Both do not start with SELinux.

1: abovedynatrace.pp does not help

2: semanage fcontext -a -t httpd_sys_rw_content_t

-R -v /opt/dynatrace-6.2 does not help

Logfile with two errors:

Jan 08 12:11:40 2016] [notice] caught SIGTERM, shutting down

[Fri Jan 08 12:11:40 2016] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:s0

[Fri Jan 08 12:11:40 2016] [notice] suEXEC mechanism enabled (wrapper:

2016-01-08 12:11:40 [baca2879] info [native] Apache reports revision 2.2.15()

2016-01-08 12:11:40 [baca2879] info [native] Apache reports version string
(irrelevant for dtagent)

2016-01-08 12:11:40 [baca2879] info [native] => Detected Apache version 2.2

2016-01-08 12:11:40 [baca2879] info [native] Detected bo variant

2016-01-08 12:11:40 [baca2879] warning [native] SharedMemory::attachOrCreate:
Could not open already existing file

2016-01-08 12:11:40 [baca2879] info [native] Loading collector peer list from

2016-01-08 12:11:40 [baca2879] info [native] 0 entries loaded

Cannot open log file
Permission denied

[Fri Jan 08 12:11:40 2016] [notice] Digest: generating secret for digest
authentication ...

[Fri Jan 08 12:11:40 2016] [notice] Digest: done

[Fri Jan 08 12:11:40 2016] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15
OpenSSL/1.0.1e-fips configured -- resuming normal operations

The file '/opt/dynatrace-6.2/log/dt_cmslap1233a_acc_webserver_bootstrap_13402.0.log': is not created

Anybody a clue?

KR Henk