cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SELinux Agent Install

henk_stobbe
Mentor

I have installed a Web and a Java agent, the host and main web agent are visible. So far so good but I do not see  agents  from apache (the module) and Tomcat/Jboss. Am I doing something wrong? I have no SELinux error messages anymore.  Or is there a SELinux policy for Dynatrace Agents?

 

KR Henk Stobbe

 

7 REPLIES 7

r_weber
Pro

Any information printed in the agent logs (you can find them in the agent installation directory)?

Certified Dynatrace Master, Dynatrace Partner - 360Performance.net

henk_stobbe
Mentor

Reinhard,

 

Thx for your input issue is solved, there was no log (-;

I made a mistake using " " in the setenv.sh for Tomcat, 

 

KR Henk Stobbe

 

 

allan_schiebol1
Inactive

I've had to work with system engineers on getting Dynatrace to work with SELinux policies. As to what the policy rules are, I don't know, but, I know they had to make some sort of exception for Dynatrace agents. 

chris_geebelen
Dynatrace Mentor
Dynatrace Mentor

Hi,

Is it possible to share this SELinux policy? I could be a good start for other customers.

Chris

dave_mauney
Dynatrace Champion
Dynatrace Champion

I would love for someone to validate my SELinux dynatrace module.

Since I have a customer struggling with this issue and saw it mentioned lately in the forum, I thought I would try from scratch to get it working.  I know nothing about SELinux other than what I skimmed on the link given above, so feel free to correct me if my way is totally off base.

 Below are the steps I followed to get Apache httpd working with Dynatrace and SELinux running in Enforcing mode.

Using this link as my primary reference: http://wiki.centos.org/HowTos/SELinux, I performed the following steps:
1.     Installed dynatrace 6.1.0 on CentOS in /opt/dynatrace-6.1.0 with ownership dynatrace:dynatrace
2.     Set SELINUX=permissive and SELINUXTYPE=targeted in /etc/selinux/config
3.     Rebooted VM
4.     Started server, collector and web server agent
5.     Instrumented and started httpd (server httpd start) 
6.     Installed setroubleshoot package to get the "audit2allow" command
7.     Created a dynatrace module (cd /var/log/audit;audit2allow -M dynatrace < allow.log)
8.     Installed the dynatrace module (semodule -i dynatrace.pp)
9.     Set SELINUX=enforcing SELINUXTYPE=targeted in /etc/selinux/config
10.   Rebooted VM
11.   Started server, collector and web server agent
12.   started httpd (server httpd start)
I can share the resulting "dynatrace.te" and/or "dynatrace.pp" if anyone would like to try it out.
These are the contents of "dynatrace.te":

module dynatrace 1.0;

require {
type httpd_tmp_t;
type httpd_t;
type usr_t;
type port_t;
class capability { fowner fsetid };
class tcp_socket name_connect;
class file { write execute unlink create setattr };
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t httpd_tmp_t:file execute;

#!!!! This avc is allowed in the current policy
allow httpd_t port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t self:capability { fowner fsetid };

#!!!! This avc is allowed in the current policy
allow httpd_t usr_t:file { write create unlink setattr };

This way seems much simpler than the way documented here:  Web Server Agent SharedMemory Error but as I said before, I know next to nothing about SELinux, so any feedback would be welcome.

Thanks,
dave

dave_mauney
Dynatrace Champion
Dynatrace Champion

I worked with a customer today to get Apache working with the the version 6.1 dtwsagent in Linux with SELinux enabled.  My initial "dynatrace.pp" was missing one permission, but after we corrected it, things seem to start working fine.

The dyantrace.pp (compiled) and dynatrace.te (human readable) files are available here:

https://www.dropbox.com/sh/udny1r84iz6yuvo/AAAywV3DxmdeANRpSWdNGSApa?dl=0

Just download the files, and run this command to add the module to SELinux:

semodule -i dynatrace.pp

If you make use of this technique, please let me know how it works for you via email (dave.mauney@dynatrace.com).

HTH,

dave

henk_stobbe
Mentor

I am working on two separate apache agent installations. One on 6.1 an one on version 6.2 Both do not start with SELinux.

1: abovedynatrace.pp does not help

2: semanage fcontext -a -t httpd_sys_rw_content_t
'/opt/dynatrace-6.2(/.*)?'

restorecon
-R -v /opt/dynatrace-6.2 does not help

Logfile with two errors:

Fri
Jan 08 12:11:40 2016] [notice] caught SIGTERM, shutting down

[Fri Jan 08 12:11:40 2016] [notice] SELinux policy enabled; httpd running as
context unconfined_u:system_r:httpd_t:s0

[Fri Jan 08 12:11:40 2016] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)

2016-01-08 12:11:40 [baca2879] info [native] Apache reports revision 2.2.15()

2016-01-08 12:11:40 [baca2879] info [native] Apache reports version string
(irrelevant for dtagent)

2016-01-08 12:11:40 [baca2879] info [native] => Detected Apache version 2.2

2016-01-08 12:11:40 [baca2879] info [native] Detected bo variant

2016-01-08 12:11:40 [baca2879] warning [native] SharedMemory::attachOrCreate:
Could not open already existing file

2016-01-08 12:11:40 [baca2879] info [native] Loading collector peer list from
/opt/dynatrace-6.2/agent/conf/collectorlist.cmslap1233a_acc_webserver

2016-01-08 12:11:40 [baca2879] info [native] 0 entries loaded

Cannot open log file
Permission denied

[Fri Jan 08 12:11:40 2016] [notice] Digest: generating secret for digest
authentication ...

[Fri Jan 08 12:11:40 2016] [notice] Digest: done

[Fri Jan 08 12:11:40 2016] [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15
OpenSSL/1.0.1e-fips configured -- resuming normal operations

The file '/opt/dynatrace-6.2/log/dt_cmslap1233a_acc_webserver_bootstrap_13402.0.log': is not created

Anybody a clue?

KR Henk