Bug 1447800

Summary: SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy.
Product: [Fedora] Fedora Reporter: Alessio <alciregi>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 26CC: bperkins, dominick.grift, dwalsh, erik, kanelxake, lvrabec, mgrepl, omnileet, plautrba, pmoore, p_s_oberoi, rohara, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard: abrt_hash:9266a3699f0ed3d37343286ac4795d0660b6c4aa4edd64f04749b4fc0a12f675;VARIANT_ID=workstation;
Fixed In Version: selinux-policy-3.13.1-260.14.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1600578 (view as bug list) Environment:
Last Closed: 2017-11-15 20:12:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alessio 2017-05-03 21:04:43 UTC 
Description of problem:
Install haproxy 
sudo dnf install haproxy-1.7.3-2.fc26.x86_64

Start the service
sudo systemctl start haproxy

haproxy doesn't start
systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST; 2min 26s ago
  Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE (code=exited, status=1/FAILURE)
  Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS)
 Main PID: 11304 (code=exited, status=1/FAILURE)

May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load Balancer...
May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load Balancer.
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again later.
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: exit, haproxy RC=1
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main process exited, code=exited, status=1/FAILURE
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit entered failed state.
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed with result 'exit-code'.

journalctl reports:

May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy. For complete SELinux messages. run sealert -l 254e4717-9e9f-4d83-bc28-3abc60097348
SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
# semodule -X 300 -i my-haproxysystemd.pp

Additional Information:
Source Context                system_u:system_r:haproxy_t:s0
Target Context                system_u:object_r:haproxy_exec_t:s0
Target Objects                /usr/sbin/haproxy [ file ]
Source                        haproxy-systemd
Source Path                   haproxy-systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           haproxy-1.7.3-2.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.0-0.rc8.git0.1.fc26.x86_64 #1
                              SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-05-03 22:55:52 CEST
Last Seen                     2017-05-03 22:59:11 CEST
Local ID                      254e4717-9e9f-4d83-bc28-3abc60097348

Raw Audit Messages
type=AVC msg=audit(1493845151.171:584): avc:  denied  { execute_no_trans } for  pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=563219 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0


Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans

Version-Release number of selected component:
selinux-policy-3.13.1-251.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
type:           libreport
Comment 1 Erik Logtenberg 2017-07-22 16:11:09 UTC 
Same here. Already a fix available?
Comment 2 Paramjit Oberoi 2017-09-08 15:50:36 UTC 
Me too.
Comment 3 Erik Logtenberg 2017-09-10 11:29:18 UTC 
So I mean, this simple module fixes it of course:


module fix_haproxy 1.0;

require {
        type haproxy_exec_t;
        type haproxy_t;
        class file execute_no_trans;
}

#============= haproxy_t ==============
allow haproxy_t haproxy_exec_t:file execute_no_trans;




Would be nice if the policy would be updated to include this permission, as HAProxy cannot do some of the more fancy stuff without this. Or at least make it a boolean or something.
Comment 4 Sascha Schmidt 2017-10-20 08:14:56 UTC 
Any progress?
Comment 5 Sascha Schmidt 2017-10-20 09:00:35 UTC 
The module suggested by Erik Logtenberg works.(In reply to Erik Logtenberg from comment #3)
> So I mean, this simple module fixes it of course:
> 
> 
> module fix_haproxy 1.0;
> 
> require {
>         type haproxy_exec_t;
>         type haproxy_t;
>         class file execute_no_trans;
> }
> 
> #============= haproxy_t ==============
> allow haproxy_t haproxy_exec_t:file execute_no_trans;
> 
> 
> 
> 
> Would be nice if the policy would be updated to include this permission, as
> HAProxy cannot do some of the more fancy stuff without this. Or at least
> make it a boolean or something.

This works.
Comment 6 Lukas Vrabec 2017-10-22 13:11:51 UTC 
Will be fixed in next selinux-policy Fedora 26 update.
Comment 7 Fedora Update System 2017-10-26 12:33:17 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
Comment 8 Fedora Update System 2017-11-15 20:12:42 UTC 
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.