Bug 1600578
Summary: | SELinux prevents haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Milos Malik <mmalik> |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> |
Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.6 | CC: | bperkins, hannsj_uhl, hongkliu, lvrabec, mgrepl, mmalik, nelluri, plautrba, rbiba, ssekidde |
Target Milestone: | rc | ||
Target Release: | 7.6 | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | abrt_hash:9266a3699f0ed3d37343286ac4795d0660b6c4aa4edd64f04749b4fc0a12f675;VARIANT_ID=workstation; | ||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1447800 | Environment: | |
Last Closed: | 2018-10-30 10:06:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1600434 | ||
Bug Blocks: |
Description
Milos Malik
2018-07-12 14:15:47 UTC
*** Bug 1607759 has been marked as a duplicate of this bug. *** (In reply to Milos Malik from comment #0) > +++ This bug was initially created as a clone of Bug #1447800 +++ > > Problem description: > the haproxy service does not start > > NVRs: > haproxy-1.5.18-7.el7.x86_64 > selinux-policy-3.13.1-207.el7.noarch > selinux-policy-devel-3.13.1-207.el7.noarch > selinux-policy-doc-3.13.1-207.el7.noarch > selinux-policy-minimum-3.13.1-207.el7.noarch > selinux-policy-mls-3.13.1-207.el7.noarch > selinux-policy-sandbox-3.13.1-207.el7.noarch > selinux-policy-targeted-3.13.1-207.el7.noarch > > 1) Install haproxy > sudo dnf install haproxy > > 2) Start the service > sudo systemctl start haproxy > > haproxy doesn't start > systemctl status haproxy > ● haproxy.service - HAProxy Load Balancer > Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor > preset: disabled) > Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST; > 2min 26s ago > Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p > $PIDFILE (code=exited, status=1/FAILURE) > Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q > (code=exited, status=0/SUCCESS) > Main PID: 11304 (code=exited, status=1/FAILURE) > > May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load > Balancer... > May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load > Balancer. > May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: > haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f > /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds > May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: > haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again > later. > May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: > haproxy-systemd-wrapper: exit, haproxy RC=1 > May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main > process exited, code=exited, status=1/FAILURE > May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit > entered failed state. > May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed > with result 'exit-code'. > > journalctl reports: > > May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is > preventing haproxy-systemd from execute_no_trans access on the file > /usr/sbin/haproxy. For complete SELinux messages. run sealert -l > 254e4717-9e9f-4d83-bc28-3abc60097348 > SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on > the file /usr/sbin/haproxy. > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that haproxy-systemd should be allowed execute_no_trans > access on the haproxy file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd > # semodule -X 300 -i my-haproxysystemd.pp > > Additional Information: > Source Context system_u:system_r:haproxy_t:s0 > Target Context system_u:object_r:haproxy_exec_t:s0 > Target Objects /usr/sbin/haproxy [ file ] > Source haproxy-systemd > Source Path haproxy-systemd > Port <Unknown> > Host (removed) > Source RPM Packages > Target RPM Packages haproxy-1.7.3-2.fc26.x86_64 > Policy RPM selinux-policy-3.13.1-251.fc26.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name (removed) > Platform Linux (removed) > 4.11.0-0.rc8.git0.1.fc26.x86_64 #1 > SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64 > Alert Count 3 > First Seen 2017-05-03 22:55:52 CEST > Last Seen 2017-05-03 22:59:11 CEST > Local ID 254e4717-9e9f-4d83-bc28-3abc60097348 > > Raw Audit Messages > type=AVC msg=audit(1493845151.171:584): avc: denied { execute_no_trans } > for pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" > ino=563219 scontext=system_u:system_r:haproxy_t:s0 > tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0 > > > Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans > > Version-Release number of selected component: > selinux-policy-3.13.1-251.fc26.noarch > > Additional info: > component: selinux-policy > reporter: libreport-2.9.1 > hashmarkername: setroubleshoot > kernel: 4.11.0-0.rc8.git0.1.fc26.x86_64 > type: libreport > > --- Additional comment from Erik Logtenberg on 2017-07-22 12:11:09 EDT --- > > Same here. Already a fix available? > > --- Additional comment from Paramjit Oberoi on 2017-09-08 11:50:36 EDT --- > > Me too. > > --- Additional comment from Erik Logtenberg on 2017-09-10 07:29:18 EDT --- > > So I mean, this simple module fixes it of course: > > > module fix_haproxy 1.0; > > require { > type haproxy_exec_t; > type haproxy_t; > class file execute_no_trans; > } > > #============= haproxy_t ============== > allow haproxy_t haproxy_exec_t:file execute_no_trans; > > Would be nice if the policy would be updated to include this permission, as > HAProxy cannot do some of the more fancy stuff without this. Or at least > make it a boolean or something. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3111 |