Bug 1608548

Summary:	caddy: selinux blocking QUIC
Product:	[Fedora] Fedora	Reporter:	Gunnar Guðvarðarson <gunnar>
Component:	caddy	Assignee:	Carl George <carlwgeorge>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	27	CC:	carlwgeorge
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Unspecified
Whiteboard:
Fixed In Version:	caddy-0.11.0-3.fc29 caddy-0.11.0-3.fc27 caddy-0.11.0-3.fc28 caddy-0.11.0-3.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-10-30 17:30:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Gunnar Guðvarðarson 2018-07-25 18:58:51 UTC

Description of problem:
Selinux policy prevents caddy start

Version-Release number of selected component (if applicable):
Caddy 0.11.0 (unofficial)

Fedora release 27 (Twenty Seven)

Name         : selinux-policy-targeted
Version      : 3.13.1
Release      : 283.34.fc27


How reproducible:
always

Steps to Reproduce:
1. Install caddy on fedora
2. systemctl start caddy
3. systemctl status caddy (observe failed)
4. journalctl -u caddy (observe that it failed)
5. tail -n 1000 /var/log/audit/audit.log | grep caddy (observe avc denies)

Actual results:
crashes

Expected results:
not crashing

Additional info:
Bug was initially posted by me here it contains more information and my fix for it:
https://github.com/mholt/caddy/issues/2203#issuecomment-407844823

avc:  denied  { mounton } for  pid=6534 comm="(caddy)" path="/var/lib/caddy" dev="vda1" ino=270438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { read } for  pid=6534 comm="caddy" name="somaxconn" dev="proc" ino=18026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
avc:  denied  { mounton } for  pid=6540 comm="(caddy)" path="/var/lib/caddy" dev="vda1" ino=270438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { read } for  pid=6540 comm="caddy" name="somaxconn" dev="proc" ino=18026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0

Comment 1 Gunnar Guðvarðarson 2018-07-25 19:01:43 UTC

I completely forgot to add (it's in the original report), the binds on UDP 80/443 are due to QUIC, which is enabled here:

# /etc/systemd/system/caddy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -log stdout -root /tmp -quic -agree

Comment 2 Carl George 2018-08-13 19:22:41 UTC

Currently caddy is reusing httpd file labels to function with selinux enforcing.

https://src.fedoraproject.org/rpms/caddy/c/b85070ce0561800bcb5a2eeec08f5896786e2f68

That approach has the benefit of not having to maintain a caddy-specific policy.  You've discovered a drawback to that approach, which is that selinux doesn't think that httpd_exec_t type should be binding to 80/udp and 443/udp.  I was hoping that I could just report this as bug on the httpd policy, but then I discovered that httpd doesn't support QUIC, so it probably wouldn't get much traction.

I'm going to do a bit more research and see what the best path forward would be.

Comment 3 Fedora Update System 2018-10-22 02:47:03 UTC

caddy-0.11.0-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-960cae316e

Comment 4 Fedora Update System 2018-10-22 02:47:13 UTC

caddy-0.11.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3f9079e7b8

Comment 5 Fedora Update System 2018-10-22 02:47:22 UTC

caddy-0.11.0-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-20468c2bd6

Comment 6 Fedora Update System 2018-10-22 16:55:14 UTC

caddy-0.11.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ccc928e047

Comment 7 Fedora Update System 2018-10-22 19:23:06 UTC

caddy-0.11.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3f9079e7b8

Comment 8 Fedora Update System 2018-10-22 23:22:54 UTC

caddy-0.11.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ccc928e047

Comment 9 Fedora Update System 2018-10-22 23:33:25 UTC

caddy-0.11.0-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-960cae316e

Comment 10 Fedora Update System 2018-10-22 23:54:19 UTC

caddy-0.11.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-20468c2bd6

Comment 11 Fedora Update System 2018-10-30 17:30:47 UTC

caddy-0.11.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 Fedora Update System 2018-10-31 15:24:48 UTC

caddy-0.11.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2018-10-31 15:51:46 UTC

caddy-0.11.0-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2018-11-08 05:00:22 UTC

caddy-0.11.0-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.