Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1108937

Summary: Need to set haproxy_connect_any selinux boolean
Product: Red Hat OpenStack Reporter: John Eckersberg <jeckersb>
Component: openstack-selinuxAssignee: Lon Hohberger <lhh>
Status: CLOSED CURRENTRELEASE QA Contact: Ami Jeain <ajeain>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 6)CC: bperkins, jeckersb, lhh, mburns, mgrepl, morazi, rhallise, rhos-maint, yeylon
Target Milestone: ---   
Target Release: 5.0 (RHEL 7)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-selinux-0.5.5-3.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-07-09 20:28:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log none

Description John Eckersberg 2014-06-12 22:24:22 UTC 
The haproxy_connect_any selinux boolean needs to be set when deploying haproxy load balancer with openstack-foreman-installer.  Otherwise the deployed nodes will have AVC denials when listening and connecting to the backend servers.  Unforunately I'm between deployments right now so I don't have the exact AVC errors available to paste here.

There may also be a better way to solve this, e.g. tagging individual ports instead of this boolean which seems to be a rather broad fix.  It's just the first solution that audit2allow had spit out to me so I went with it.
Comment 2 Ryan Hallisey 2014-06-23 20:49:01 UTC 
Can you attach your /var/log/audit/audit.log?  There is more info in the logs.  Also, can you reproduce what you did in permissive in case there are more denials.
Comment 3 John Eckersberg 2014-06-25 17:47:00 UTC 
Created attachment 912192 [details]
audit log

Here's the audit log with permissive mode.  Just the denials:

type=AVC msg=audit(1403718102.298:671): avc:  denied  { name_bind } for  pid=13262 comm="haproxy" src=5672 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket

type=AVC msg=audit(1403718102.299:672): avc:  denied  { name_connect } for  pid=13263 comm="haproxy" dest=5672 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:amqp_port_t:s0 tclass=tcp_socket

Note this is with only using rabbitmq on my HA controller node, if the other openstack services were enabled I suspect there could be many more denials.