Created attachment 916969 [details] audit.log Description of problem: haproxy fails to startup because SELinux blocks the ports it is proxying. The first time I ran devtest, all ports that were being proxied were denied. See audit.log. I created a custom policy and saw that I needed to setsebool -P haproxy_connect_any 1 I then reran devtest, but one issue still remain, haproxy is still being denied name_connect to port 5002. See audit2.log. Version-Release number of selected component (if applicable): haproxy-1.5.1-1.fc20.x86_64 selinux-policy-3.12.1-176.fc20.noarch selinux-policy-targeted-3.12.1-176.fc20.noarch How reproducible: always Steps to Reproduce: 1. Run tripleo devtest with SELinux in enforcing mode. Actual results: haproxy fails to startup Expected results: haproxy starts up Additional info: type=AVC msg=audit(1404794732.360:20): avc: denied { name_connect } for pid=386 comm="haproxy" dest=5002 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket
Created attachment 916970 [details] audit2.log when using "setsebool -P haproxy_connect_any 1"
WHat does the following show? sesearch -A -s haproxy_t -t unreserved_port_t -c tcp_socket -p name_connect -C Found 2 semantic av rules: DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] DT allow haproxy_t port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; [ haproxy_connect_any ] This looks like the boolean should have enabled it.
[root@mini audit]# sesearch -A -s haproxy_t -t unreserved_port_t -c tcp_socket -p name_connect -C Found 2 semantic av rules: DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ] ET allow haproxy_t port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; [ haproxy_connect_any ] After upgrading the selinux policy on the build system I don't see that error anymore. Went from selinux-policy-3.12.1-166 to selinux-policy-3.12.1-176. Will close this ticket.