Description of problem: Install haproxy sudo dnf install haproxy-1.7.3-2.fc26.x86_64 Start the service sudo systemctl start haproxy haproxy doesn't start systemctl status haproxy ● haproxy.service - HAProxy Load Balancer Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled) Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST; 2min 26s ago Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE (code=exited, status=1/FAILURE) Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS) Main PID: 11304 (code=exited, status=1/FAILURE) May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load Balancer... May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load Balancer. May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again later. May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: exit, haproxy RC=1 May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main process exited, code=exited, status=1/FAILURE May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit entered failed state. May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed with result 'exit-code'. journalctl reports: May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy. For complete SELinux messages. run sealert -l 254e4717-9e9f-4d83-bc28-3abc60097348 SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd # semodule -X 300 -i my-haproxysystemd.pp Additional Information: Source Context system_u:system_r:haproxy_t:s0 Target Context system_u:object_r:haproxy_exec_t:s0 Target Objects /usr/sbin/haproxy [ file ] Source haproxy-systemd Source Path haproxy-systemd Port <Unknown> Host (removed) Source RPM Packages Target RPM Packages haproxy-1.7.3-2.fc26.x86_64 Policy RPM selinux-policy-3.13.1-251.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 4.11.0-0.rc8.git0.1.fc26.x86_64 #1 SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64 Alert Count 3 First Seen 2017-05-03 22:55:52 CEST Last Seen 2017-05-03 22:59:11 CEST Local ID 254e4717-9e9f-4d83-bc28-3abc60097348 Raw Audit Messages type=AVC msg=audit(1493845151.171:584): avc: denied { execute_no_trans } for pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=563219 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0 Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans Version-Release number of selected component: selinux-policy-3.13.1-251.fc26.noarch Additional info: component: selinux-policy reporter: libreport-2.9.1 hashmarkername: setroubleshoot kernel: 4.11.0-0.rc8.git0.1.fc26.x86_64 type: libreport
Same here. Already a fix available?
Me too.
So I mean, this simple module fixes it of course: module fix_haproxy 1.0; require { type haproxy_exec_t; type haproxy_t; class file execute_no_trans; } #============= haproxy_t ============== allow haproxy_t haproxy_exec_t:file execute_no_trans; Would be nice if the policy would be updated to include this permission, as HAProxy cannot do some of the more fancy stuff without this. Or at least make it a boolean or something.
Any progress?
The module suggested by Erik Logtenberg works.(In reply to Erik Logtenberg from comment #3) > So I mean, this simple module fixes it of course: > > > module fix_haproxy 1.0; > > require { > type haproxy_exec_t; > type haproxy_t; > class file execute_no_trans; > } > > #============= haproxy_t ============== > allow haproxy_t haproxy_exec_t:file execute_no_trans; > > > > > Would be nice if the policy would be updated to include this permission, as > HAProxy cannot do some of the more fancy stuff without this. Or at least > make it a boolean or something. This works.
Will be fixed in next selinux-policy Fedora 26 update.
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d312739a4e
selinux-policy-3.13.1-260.14.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.