Bug 1643560

Summary: selinux breaks haproxy basic auth when using nbthread
Product: [Fedora] Fedora Reporter: Robin <robin.bjorklin>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 29CC: bperkins, dwalsh, lvrabec, mgrepl, mmalik, plautrba, robin.bjorklin
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-29 13:47:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Robin 2018-10-26 14:37:34 UTC 
Description of problem: When running haproxy with the `nbthread` directive in the configuration selinux breaks the `http-request auth` functionality.


Version-Release number of selected component (if applicable): haproxy-1.8.14


How reproducible: Always


Steps to Reproduce:
1. git clone https://github.com/rbjorklin/selinux-haproxy-bug.git
2. ./setup29.sh
3. visit http://localhost:8080/
4. enter credentials test/test

Actual results: Credential popup keeps reappearing.


Expected results: Proceeds to loading page correctly.


Additional info: The above works when `setenforce 0` is executed. No selinux denials are created even with `semodule -DB`.
The problem also appears under Fedora 28.
Comment 1 Milos Malik 2018-10-29 12:44:56 UTC 
Could you collect SELinux denials, which appeared on your machine as result of the reproducer, and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

The denials will help us understand where the problem is.

Thank you.
Comment 2 Robin 2018-10-29 13:47:26 UTC 
I'm closing this one and setting haproxy as the target component instead of selinux-policy. Some further testing on my end showed that the problem did appear with selinux turned off after all.

*** This bug has been marked as a duplicate of bug 1643941 ***