Selinux prevents apache from connecting to tomcat

[biddster]

I'm performing a monolithic install of Stash on Centos6.4 x64. The Cookbook works great but once it's finished apache is unable to connect to tomcat.

I have to ssh to the stash server and issue:

$ sudo setsebool -P httpd_can_network_connect 1
$ sudo service httpd restart

No big deal to sort - but is there anything we can do in the cookbook?

I've checked the apache cookbook docs and they say that it's up to you to sort out selinux.

[bflad]

I'm open to adding in some additional support for selinux.

[biddster]

Something quick and dirty like this would probably suffice:

case node[:platform_family]
when 'rhel'
    package "policycoreutils"
    execute "setsebool -P httpd_can_network_connect 1" do
        only_if "getsebool -a | grep "httpd_can_network_connect --> off"
    end
end

[bflad]

Thanks for the details. I'll work on implementation tomorrow

[bflad]

Personally, I'd rather fix this the "right way" by having the Opscode apache/selinux cookbook handle the SELinux boolean handling. We'd then just add the appropriate default logic here. It looks like a boolean LWRP was sent in a pull request to the selinux cookbook way long ago, but got mixed up with restorecon changes that made it into Chef 11.6 and hence closed out without that functionality being added.

So. Let's resubmit a new issue to Opscode noting the lack of the boolean handling and get that in their (likely selinux) cookbook. Let me know if you want me to do this.

[biddster]

Thanks, I think we should both pile in on this one and see if we can push it through. I can't believe the entire world runs selinux in permissive mode?

[bflad]

Resurrecting this old discussion. Has the Chef landscape changed here with respect to selinux handling?