Minor things need adjusting after New Relic installation for it to work nicely with SElinux.
pidfile locationDefault location for newrelic.daemon.pifile is /var/run/newrelic-daemon.pid . /var/run is typed var_run_t to which httpd_t has no access. Seen in /var/log/audit/audit.log as
type=AVC msg=audit(1): avc: denied { write } for pid=1783 comm="newrelic-daemon" name="newrelic-daemon.pid" dev="tmpfs" ino=420511703 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=fileDirectory for php-fpm sockets provides a more friendly home for the pidfile.
$ semanage fcontext -l | grep php-fpm /var/run/php-fpm(/.*)? all files system_u:object_r:httpd_var_run_t:s0So change the newrelic.ini
newrelic.daemon.pidfile = "/var/run/php-fpm/newrelic-daemon.pid" log directory contextPhp-fpm cannot access log file shown in the systemd journal.
Aug 29 13:37:00 herpderp.mobile php-fpm[1217]: open /var/log/newrelic/newrelic-daemon.log: permission deniedInstallation creates directory for the New Relic logs in /var/log/newrelic and it defaults var_log_t . Add file context rule for the log directory and restore contexts.
semanage fcontext -a -t httpd_log_t "/var/log/newrelic(/.*)?" restorecon -R /var/log/newrelic httpd_execmemNew Relic also needs to execmem shown in /var/log/audit/audit.log .
type=AVC msg=audit(2): avc: denied { execmem } for pid=1217 comm="php-fpm" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=processAllow httpd_t to execmem via SELinux boolean.
setsebool -P httpd_execmem 1And restart php-fpm and it should be good to go.