Bug 1118088
Summary: | SELinux haproxy denied name_connect to port 5002 | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Richard Su <rwsu> | ||||||
Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||||
Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | unspecified | Docs Contact: | |||||||
Priority: | unspecified | ||||||||
Version: | 20 | CC: | bperkins, dominick.grift, dwalsh, lvrabec, mgrepl | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-07-14 22:50:42 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 916970 [details]
audit2.log when using "setsebool -P haproxy_connect_any 1"
WHat does the following show? sesearch -A -s haproxy_t -t unreserved_port_t -c tcp_socket -p name_connect -C Found 2 semantic av rules: DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] DT allow haproxy_t port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; [ haproxy_connect_any ] This looks like the boolean should have enabled it. [root@mini audit]# sesearch -A -s haproxy_t -t unreserved_port_t -c tcp_socket -p name_connect -C Found 2 semantic av rules: DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] ET allow haproxy_t port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; [ haproxy_connect_any ] After upgrading the selinux policy on the build system I don't see that error anymore. Went from selinux-policy-3.12.1-166 to selinux-policy-3.12.1-176. Will close this ticket. |
Created attachment 916969 [details] audit.log Description of problem: haproxy fails to startup because SELinux blocks the ports it is proxying. The first time I ran devtest, all ports that were being proxied were denied. See audit.log. I created a custom policy and saw that I needed to setsebool -P haproxy_connect_any 1 I then reran devtest, but one issue still remain, haproxy is still being denied name_connect to port 5002. See audit2.log. Version-Release number of selected component (if applicable): haproxy-1.5.1-1.fc20.x86_64 selinux-policy-3.12.1-176.fc20.noarch selinux-policy-targeted-3.12.1-176.fc20.noarch How reproducible: always Steps to Reproduce: 1. Run tripleo devtest with SELinux in enforcing mode. Actual results: haproxy fails to startup Expected results: haproxy starts up Additional info: type=AVC msg=audit(1404794732.360:20): avc: denied { name_connect } for pid=386 comm="haproxy" dest=5002 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket