Enabling the Nginx plugin for collectd under CentOS (or any other system using SELinux) might be confusing for a newbie. Most sources on the Internet would just install collectd-nginx:
yum install -y collectd-nginx
and configure it in the nginx.conf and collectd.conf. Still, the statistics might not work as expected, the collectd may not be able to gather statistics from the Nginx.
SELinux may prevent collectd (plugin) daemon to connect to Nginx and gather statistics from the Nginx stats page.
Checking the collectd log and it reports a problem: Keep on reading!
This article is of a kind – “/.autorelabel” file does not work, because the enable of SELINUX ended with unreachable server.
Enabling the SELINUX should be easy as
just editing a text file – /etc/selinux/config to include
SELINUX=enforcing
relabel all (or at least the root) file systems by creating the “/.autorelabel” file.
restarting the system. The boot process will detect the “/.autorelabel” file and relabel the file systems and then it will restart the system in the normal boot order.
But this time the relabeling did not happen as usual (It happened on CentOS 8, but probably could happen in any Linux distribution?). The server never got reachable again and on the screen, there were multiple errors – all of “Permission denied”!
It is better when enabling SELINUX to set “permissive” mode at first and relabel the root file system with “/.autorelabel” and then to enable “enforcing” mode of SELINUX.
Using “permissive” first for the relabel process guarantees you would have your server back after the process because the SELINUX rules are not enforced.
Here is the better procedure of enabling the SELINUX:
just editing a text file – /etc/selinux/config to include
SELINUX=permissive
relabel all (or at least the root) file systems by creating the “/.autorelabel” file.
restarting the system. The boot process will detect the “/.autorelabel” file and relabel the file systems and then it will restart the system in normal boot order.
edit the /etc/selinux/config to enable “enforcing” mode
SELINUX=enforcing
Restart (it’s better) or just enable SELINUX enforcing live with:
setenforce 1
Our screenshots log of the relabel failure process
SCREENSHOT 1) No autorelabel initiated on boot despite the presence of “/.autorelabel” file.
Multple “Permission Denied” errors and many reports from “audit” – the SELINUX log daemon. The host is unreachable – no network started. No logging is possible!
SCREENSHOT 2) A page up above the first screen – more “Permission Denied” errors.
SCREENSHOT 3) Second page up above the first screen – the SELINUX rules loaded successfully but no autorelabel process initiated.
A successful relabel process on boot
SCREENSHOT 1) Successful start of the relabel process.
We’ve changed the SELINUX mode to be “permissive” and everything is back to normal, the “/.autorelabel” file initiated the relabel on the next boot.
SCREENSHOT 2) The relabeling of the file system is in progress.
There is a progress counter.
SCREENSHOT 3) The relabel process finished successfully and the reboot is initiated.
The next reboot the “/.autorelabel” file won’t exists and the system will boot normally.
Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show (non-) personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.