Enabling the Nginx plugin for collectd under CentOS (or any other system using SELinux) might be confusing for a newbie. Most sources on the Internet would just install collectd-nginx:
yum install -y collectd-nginx
and configure it in the nginx.conf and collectd.conf. Still, the statistics might not work as expected, the collectd may not be able to gather statistics from the Nginx.
SELinux may prevent collectd (plugin) daemon to connect to Nginx and gather statistics from the Nginx stats page.
Checking the collectd log and it reports a problem:
Keep on reading!
So you execute a script and get a “Permission denied” and you know you have enabled SELinux. OK to disable the selinux is not an option (and never will be), so the first thing to check is the audit log to see what is the error and what the selinux tools will offer to solve it.
But there are no entries in the audit log when you execute your script!
So you decide to temporarily disable the selinux to check if this permission denied issues is still caused by it with:
And the script just executes fine no error! Then again you put back the Enforcing with:
And NO added lines in audit.log (/var/log/audit/audit.log in our system!). Apparently the logging is just fine, because it got sometime entries, but when executing our script, which is just a simple:
After some research it appeared that
not all AVC denials may be logged when SELinux denies access.
Too many applications and system libraries check for permissions, which might not use or even need after that and the logging could grow exponentially or be less informative for the real cause of a problem!
Keep on reading!