This is the type enforcement file for creating a policy module that allows the New Relic monitoring agents to run properly on SELinux systems. This is probably not the ultimate type enforcement file, but it contains everything I know about what it needs.
This is just the type enforcement file. It needs to be compiled and installed in your system in order to function:
checkmodule -M -m -o newrelic.mod newrelic.te
semodule_package -o newrelic.pp -m newrelic.mod
semodule -i newrelic.pp
If the New Relic agents are still not working for you, you can use some SELinux commands to help track down the issue, if you have installed the package setroubleshoot-server.
One way is to search the system messages for messages from setrooubleshoot:
grep setroubleshoot /var/log/messages
When SELinux prevents something from happening, you'll see phrases like "...setroubleshoot: SELinux is preventing ..."
At the end of those lines should be an sealert command to run to get more information, for example:
For complete SELinux messages. run sealert -l 2bfd4a4c-1f38-49c5-9378-bcb225fa5097
The output of that command will give you complete details of what was denied and why.
Included in that output will be lines to create another type enforcement file and policy to permit it. The first command starts with grep, and will create a package file and a type enforcement file from the alerts. It will look something like:
grep progname /audit/log/file/path | audit2allow -M mypol
Before you blindly run the second command and install the policy, remember this policy suggestion is generated by a machine and thus not necessarily a good idea. Try and determine if the result is really what you want to have happen. For example, if you decide it shouldn't have access to do what was in the file, but you don't want further denials in your log, you can edit the .te (type enforcement) file and change 'allow' to 'dontaudit' and it will keep denying the action, but won't log any more alerts. See this RedHat HowTo for a starting point for learning more about this.
If you changed the .te file, follow the installation instructions above to install the new policy. If you decide the policy is fine as is, then only the semodule -i (-i installs the indicated policy file) command is necessary.
And if you find you require some permissions not covered here, be sure and post an issue with the contents of the .te file (or a pull request including the new changes) so they can be covered in a future release, if appropriate.