Bug 1119015 - HAProxy TPROXY configuration is forbidden by SELinux rules
Summary: HAProxy TPROXY configuration is forbidden by SELinux rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.0
Hardware: x86_64
OS: Linux
medium
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-13 05:16 UTC by andrew
Modified: 2015-03-05 10:42 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 10:42:07 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:0458 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2015-03-05 15:17:00 UTC

Description andrew 2014-07-13 05:16:21 UTC
Description of problem:

When setting up HAproxy to pass the clientip to the backend servers, selinux-policy-targeted-3.12.1-153.el7_0.10 does not have the proper permissions required for HAproxy to present the client IPs to the backend servers.

Version-Release number of selected component (if applicable):

selinux-policy-targeted-3.12.1-153.el7_0.10
haproxy-1.5-0.3.dev22.el7

How reproducible:

100%

Steps to Reproduce:
1. Follow the directions on http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/ to setup transparent proxying.
2. Try to access the newly created service
3. Note that running haproxy -d from the command line works, confirming that the configuration is valid

Actual results:

Receive a 503 gateway error from HAProxy

Expected results:

Receive the content from the backend server.

Additional info:

Fixed by the following policy:

#============= haproxy_t ==============
allow haproxy_t self:capability { net_admin net_raw };

Comment 2 Milos Malik 2014-07-14 07:45:31 UTC
Could you attach the full AVCs?

# ausearch -m avc -i -ts yesterday

Comment 3 andrew 2014-07-14 11:25:45 UTC
type=SYSCALL msg=audit(07/13/2014 00:54:45.859:109) : arch=x86_64 syscall=setsockopt success=no exit=-1(Operation not permitted) a0=0x7 a1=ip a2=IP_TRANSPARENT a3=0x7f84de4ab124 items=0 ppid=2032 pid=2033 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null) 
type=AVC msg=audit(07/13/2014 00:54:45.859:109) : avc:  denied  { net_admin } for  pid=2033 comm=haproxy capability=net_admin  scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability 
type=AVC msg=audit(07/13/2014 00:54:45.859:109) : avc:  denied  { net_raw } for  pid=2033 comm=haproxy capability=net_raw  scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability

Comment 4 Miroslav Grepl 2014-11-05 07:51:15 UTC
#============= haproxy_t ==============

#!!!! This avc is allowed in the current policy
allow haproxy_t self:capability { net_admin net_raw };

Comment 8 errata-xmlrpc 2015-03-05 10:42:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0458.html


Note You need to log in before you can comment on or make changes to this bug.