SELinux blocks httpd from accessing database

[olifre]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 5.3.3
• Ruby: (builtin since puppet 5)
• Distribution: CentOS 7.4
• Module version: 480541e

How to reproduce (e.g Puppet code you use)

Most basic setup, PostgreSQL-DB, Zabbix-Server and Web-UI one a single host.

What are you seeing

SELinux complains:

type=AVC msg=audit(1516033832.022:66562): avc:  denied  { name_connect } for  pid=10101 comm="httpd" dest=5432 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:postgresql_port_t:s0 tclass=tcp_socket

and Web-UI does not work.

What behaviour did you expect instead

I expected the puppet module to set:

setsebool httpd_can_network_connect_db=1

which fixes this.

[Fabian1976]

I ran into the same issue. And created a PR #481

[tux-o-matic]

It shouldn't be up to this module to set SE Linux for this. Should be the Zabbix RPM.

[Fabian1976]

Yes, it should. But it's not.
In the PR, you can see that we decided NOT to included this SEBoolean in the module but we did make a note of it in the README.
It should be done by the RPM, but now we advise to apply it in a profile.

[bastelfreak]

As noticed by @Fabian1976, this is expected behaviour. I'm going to close this issue. @olifre please reopen if you think we should further discuss this.