Bug 1118088 - SELinux haproxy denied name_connect to port 5002
Summary: SELinux haproxy denied name_connect to port 5002
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-10 01:17 UTC by Richard Su
Modified: 2014-07-14 22:50 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-14 22:50:42 UTC


Attachments (Terms of Use)
audit.log (879.45 KB, text/x-log)
2014-07-10 01:17 UTC, Richard Su
no flags Details
audit2.log when using "setsebool -P haproxy_connect_any 1" (580.63 KB, text/x-log)
2014-07-10 01:19 UTC, Richard Su
no flags Details


Links
System ID Priority Status Summary Last Updated
Launchpad 1339938 None None None Never

Description Richard Su 2014-07-10 01:17:57 UTC
Created attachment 916969 [details]
audit.log

Description of problem:
haproxy fails to startup because SELinux blocks the ports it is proxying.
The first time I ran devtest, all ports that were being proxied were denied. See audit.log. I created a custom policy and saw that I needed to

setsebool -P haproxy_connect_any 1

I then reran devtest, but one issue still remain, haproxy is still being denied name_connect to port 5002. See audit2.log.

Version-Release number of selected component (if applicable):
haproxy-1.5.1-1.fc20.x86_64
selinux-policy-3.12.1-176.fc20.noarch
selinux-policy-targeted-3.12.1-176.fc20.noarch

How reproducible:
always

Steps to Reproduce:
1. Run tripleo devtest with SELinux in enforcing mode.

Actual results:
haproxy fails to startup

Expected results:
haproxy starts up
Additional info:

type=AVC msg=audit(1404794732.360:20): avc: denied { name_connect } for pid=386 comm="haproxy" dest=5002 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket

Comment 1 Richard Su 2014-07-10 01:19:38 UTC
Created attachment 916970 [details]
audit2.log when using "setsebool -P haproxy_connect_any 1"

Comment 2 Daniel Walsh 2014-07-14 16:15:16 UTC
WHat does the following show?

 sesearch -A -s haproxy_t -t unreserved_port_t -c tcp_socket -p name_connect -C
Found 2 semantic av rules:
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
DT allow haproxy_t port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; [ haproxy_connect_any ]



This looks like the boolean should have enabled it.

Comment 3 Richard Su 2014-07-14 22:50:42 UTC
[root@mini audit]# sesearch -A -s haproxy_t -t unreserved_port_t -c tcp_socket -p name_connect -C
Found 2 semantic av rules:
DT allow nsswitch_domain unreserved_port_t : tcp_socket { name_bind name_connect } ; [ nis_enabled ]
ET allow haproxy_t port_type : tcp_socket { recv_msg send_msg name_bind name_connect } ; [ haproxy_connect_any ]

After upgrading the selinux policy on the build system I don't see that error anymore. Went from selinux-policy-3.12.1-166 to selinux-policy-3.12.1-176.

Will close this ticket.


Note You need to log in before you can comment on or make changes to this bug.