While officially we can only support SimpleRisk as an application, and not as it operates with every imaginable OS configuration, Matthew Frick was kind enough to put together some instructions on how he got it to work with SELinux.  They are provided here for your reference:

SimpleRisk requires the following SELinux Booleans to be enabled:

  • httpd_read_user_content

For native password reset functionality and/or the Notifications Extra, the following Boolean is needed in addition to appropriate SMTP configuration updates within php.ini:

  • httpd_can_sendmail

If hosting SimpleRisk Apache and MySQL instances on separate machines, the following Boolean is needed to permit database connectivity from the web tier:

  • httpd_can_network_connect

As root, these Booleans can be set with the setsebool command in Linux, e.g.:

  • setsebool -P <Boolean_name>=1

To validate the current configuration of SELinux Booleans, use getsebool, e.g.:

  • getsebool -a | grep <Boolean_name>

To summarize, these are the SELinux Booleans that are turned on for httpd to work on a SimpleRisk application server:

  • httpd_builtin_scripting
  • httpd_can_network_connect
  • httpd_can_sendmail
  • httpd_dbus_avahi
  • httpd_enable_cgi
  • httpd_read_user_content
  • httpd_tty_comm
  • httpd_unified

All of these SELinux Booleans should be able to be turned off:
  • allow_httpd_anon_write
  • allow_httpd_mod_auth_ntlm_winbind
  • allow_httpd_mod_auth_pam
  • allow_httpd_sys_script_anon_write
  • httpd_can_check_spam
  • httpd_can_network_connect_cobbler
  • httpd_can_network_connect_db
  • httpd_can_network_memcache
  • httpd_can_network_relay
  • httpd_dbus_sssd
  • httpd_enable_ftp_server
  • httpd_enable_homedirs
  • httpd_execmem
  • httpd_manage_ipa
  • httpd_run_preupgrade
  • httpd_run_stickshift
  • httpd_serve_cobbler_files
  • httpd_setrlimit
  • httpd_ssi_exec
  • httpd_tmp_exec
  • httpd_use_cifs
  • httpd_use_fusefs
  • httpd_use_gpg
  • httpd_use_nfs
  • httpd_use_openstack
  • httpd_verify_dns
  • named_bind_http_port