SELinux Enforcing Mode: Issues with Prometheus and Node Exporter Connectivity

Posted on

Hello Red Hat Community,

I'm seeking guidance on configuring SELinux policies for Prometheus and Node Exporter services on RHEL 9.4. Currently, these services are running under their respective system users (prometheus and node_exporter), with executable files owned by the corresponding service users.

When SELinux is in Enforcing mode, Prometheus cannot connect to Node Exporter or scrape its own metrics. I encounter the following errors:

Get "http://my.url.com:80/node_exporter": dial tcp 127.0.0.1:80: connect: permission denied
Get "http://my.url.com:80/prometheus/metrics": dial tcp 127.0.0.1:80: connect: permission denied

The services function correctly when SELinux is set to Permissive mode.

I'm looking for guidance on: Appropriate SELinux policies to allow these services to operate in Enforcing mode.

I've come across suggestion to set the bin_t context for executable files and directories, but I'm unsure if this is the optimal approach.

Any advice on properly configuring SELinux for these services would be greatly appreciated.
Thank you for your assistance.

Responses