RHEL8/SELinux: IcingaDB-Web can't connect to Redis with icingaweb2-selinux installed

[mocdaniel]

Describe the bug

After installing icinga2, icingadb, icingadb-redis, icingaweb2, and icingadb-web on a freshly deployed RHEL8 server, Icingaweb2/IcingaDB-Web can't connect to the Redis instance deployed by IcingaDB-Redis. This happens despite having installed both, icinga2-selinux, and icingaweb2-selinux policy packages.

To Reproduce

Provide a link to a live example, or an unambiguous set of steps to reproduce this issue. Include configuration, logs, etc. to reproduce, if relevant.

1.

$ dnf install icinga2 icingadb icingadb-redis icinga2-selinux icingaweb2 icingaweb2-selinux icingadb-web

2. Configure all components according to the documentation, don't touch any config regarding Redis as this is wired up correctly in the respective components by default.
3. Open Icingaweb, follow the setup according to the documentation
4. Icingaweb2 will complain that it can't connect to Redis running on the same host

Expected behavior

With SELinux enabled and icingaweb2-selinux/icinga2-selinux installed, communication between Redis and Icingaweb should be possible.

Your Environment

Include as many relevant details about the environment you experienced the problem in

• Icinga Web 2 version and modules (System - About):
  • Icingaweb2: 2.11.4
  • Libraries:
  • icinga-php-library: 0.12.0
  • icinga-php-thirdparty: 0.11.0
  • Modules:
  • icingadb: 1.0.2
• Web browser used: Firefox/Edge
• Icinga 2 version used (icinga2 --version): r2.13.7-1
• PHP version used (php --version): 7.2.24, used for Icingaweb2 via php-fpm
• icinga2-selinux: 2.13.7-1
• icingaweb2-selinux: 2.11.4-2
• Server operating system and version: RHEL8.8 (Ootpa)

Additional context

The problem can be fixed by setting the following SELinux boolean:

$ setsebool -P httpd_can_network_connect on

This should be a work-around, not a permanent solution.

Some more information regarding the apparently missing policy, thx for pointing that out @pdolinic

$ audit2allow -rli /var/log/audit/audit.log

require {
        type httpd_t;
        type redis_port_t;
        class tcp_socket name_connect;
}

#============= httpd_t ==============

#!!!! This avc can be allowed using the boolean 'httpd_can_network_connect'
allow httpd_t redis_port_t:tcp_socket name_connect;

[dgoetz]

Please bring this issue upstream (https://bugzilla.redhat.com - Product: Red Hat Enterprise Linux 8 - Component: selinux-policy, also mention newer versions and derivates as affected), as there are rules for httpd_t to allow connection to the redis socket and a boolean for memcache, it looks more like an oversight there.

[mocdaniel]

Upstream issue created here.