You want to manage an SELinux boolean.
class enable_bool {
selboolean { 'collectd_tcp_network_connect':
# if persistent is set to false the change will be lost on reboot
persistent => true,
value => on,
}
}
SELinux booleans allow parts of SELinux policy to be changed at runtime without requiring custom policies to be written. Each of the booleans typically controls if SELinux will permit an action or not.
You can list all the available booleans and their current values with
getsebool.
$ getsebool -a | grep http
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
You can gather more details, such as a description of the booleans purpose and
its default value, by running semanage.
sudo semanage boolean --list
SELinux boolean State Default Description
...
httpd_can_network_connect (off , off) Allow httpd to can network connect
httpd_can_network_memcache (off , off) Allow httpd to can network memcache
...
The puppet resource to manage the boolean is a simple one and the only attributes
you'll typically need to use are value, which controls if the boolean is on or
off and persistent, which determines if the changes survive a reboot.