Bug 1600578

*** Bug 1607759 has been marked as a duplicate of this bug. ***

(In reply to Milos Malik from comment #0)
> +++ This bug was initially created as a clone of Bug #1447800 +++
> 
> Problem description:
> the haproxy service does not start
> 
> NVRs:
> haproxy-1.5.18-7.el7.x86_64
> selinux-policy-3.13.1-207.el7.noarch
> selinux-policy-devel-3.13.1-207.el7.noarch
> selinux-policy-doc-3.13.1-207.el7.noarch
> selinux-policy-minimum-3.13.1-207.el7.noarch
> selinux-policy-mls-3.13.1-207.el7.noarch
> selinux-policy-sandbox-3.13.1-207.el7.noarch
> selinux-policy-targeted-3.13.1-207.el7.noarch
> 
> 1) Install haproxy 
> sudo dnf install haproxy
> 
> 2) Start the service
> sudo systemctl start haproxy
> 
> haproxy doesn't start
> systemctl status haproxy
> ● haproxy.service - HAProxy Load Balancer
>    Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor
> preset: disabled)
>    Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST;
> 2min 26s ago
>   Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p
> $PIDFILE (code=exited, status=1/FAILURE)
>   Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q
> (code=exited, status=0/SUCCESS)
>  Main PID: 11304 (code=exited, status=1/FAILURE)
> 
> May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load
> Balancer...
> May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load
> Balancer.
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f
> /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again
> later.
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: exit, haproxy RC=1
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main
> process exited, code=exited, status=1/FAILURE
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit
> entered failed state.
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed
> with result 'exit-code'.
> 
> journalctl reports:
> 
> May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is
> preventing haproxy-systemd from execute_no_trans access on the file
> /usr/sbin/haproxy. For complete SELinux messages. run sealert -l
> 254e4717-9e9f-4d83-bc28-3abc60097348
> SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on
> the file /usr/sbin/haproxy.
> 
> *****  Plugin catchall (100. confidence) suggests  
> **************************
> 
> If you believe that haproxy-systemd should be allowed execute_no_trans
> access on the haproxy file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
> # semodule -X 300 -i my-haproxysystemd.pp
> 
> Additional Information:
> Source Context                system_u:system_r:haproxy_t:s0
> Target Context                system_u:object_r:haproxy_exec_t:s0
> Target Objects                /usr/sbin/haproxy [ file ]
> Source                        haproxy-systemd
> Source Path                   haproxy-systemd
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages           
> Target RPM Packages           haproxy-1.7.3-2.fc26.x86_64
> Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     (removed)
> Platform                      Linux (removed)
> 4.11.0-0.rc8.git0.1.fc26.x86_64 #1
>                               SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64
> Alert Count                   3
> First Seen                    2017-05-03 22:55:52 CEST
> Last Seen                     2017-05-03 22:59:11 CEST
> Local ID                      254e4717-9e9f-4d83-bc28-3abc60097348
> 
> Raw Audit Messages
> type=AVC msg=audit(1493845151.171:584): avc:  denied  { execute_no_trans }
> for  pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0"
> ino=563219 scontext=system_u:system_r:haproxy_t:s0
> tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0
> 
> 
> Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-251.fc26.noarch
> 
> Additional info:
> component:      selinux-policy
> reporter:       libreport-2.9.1
> hashmarkername: setroubleshoot
> kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
> type:           libreport
> 
> --- Additional comment from Erik Logtenberg on 2017-07-22 12:11:09 EDT ---
> 
> Same here. Already a fix available?
> 
> --- Additional comment from Paramjit Oberoi on 2017-09-08 11:50:36 EDT ---
> 
> Me too.
> 
> --- Additional comment from Erik Logtenberg on 2017-09-10 07:29:18 EDT ---
> 
> So I mean, this simple module fixes it of course:
> 
> 
> module fix_haproxy 1.0;
> 
> require {
>         type haproxy_exec_t;
>         type haproxy_t;
>         class file execute_no_trans;
> }
> 
> #============= haproxy_t ==============
> allow haproxy_t haproxy_exec_t:file execute_no_trans;
> 
> Would be nice if the policy would be updated to include this permission, as
> HAProxy cannot do some of the more fancy stuff without this. Or at least
> make it a boolean or something.

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111