Description of problem: I updated one of my loadbalancer systems from Fedora 27 to Fedora 28. haproxy does not start up if a stats socket is configured The problem is related to SELinux. Version-Release number of selected component (if applicable): 1.8.8 2018/04/19 How reproducible: Try starting haproxy using systemctl when an stats socket is configured. Steps to Reproduce: 1. Configure a stat socket Inside "global" configuration add: stats socket /var/lib/haproxy/stats 2. Try starting the haproxy service sudo service haproxy start Actual results: The haproxy service does not start up. SELinux reports an error which can be found in audit log (/var/log/audit/audit.log): type=AVC msg=audit(1525600976.236:3235): avc: denied { dac_override } for pid=5627 comm="haproxy" capability=1 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=0 Expected results: Haproxy should start. Additional info: The following type enforcement fixes this issue: module f28-haproxyfix 1.0; require { type haproxy_t; class capability dac_override; } #============= haproxy_t ============== allow haproxy_t self:capability dac_override;
Moving to correct component.
---- type=PROCTITLE msg=audit(05/07/2018 12:10:03.524:360) : proctitle=/usr/sbin/haproxy -W -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid type=PATH msg=audit(05/07/2018 12:10:03.524:360) : item=2 name=/var/lib/haproxy/stats.15653.bak nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(05/07/2018 12:10:03.524:360) : item=1 name=/var/lib/haproxy/ inode=262286 dev=fd:01 mode=dir,755 ouid=haproxy ogid=haproxy rdev=00:00 obj=system_u:object_r:haproxy_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PATH msg=audit(05/07/2018 12:10:03.524:360) : item=0 name=/var/lib/haproxy/stats inode=268029 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:haproxy_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=CWD msg=audit(05/07/2018 12:10:03.524:360) : cwd=/ type=SYSCALL msg=audit(05/07/2018 12:10:03.524:360) : arch=x86_64 syscall=link success=no exit=EACCES(Permission denied) a0=0x55db242df68a a1=0x7ffcbaf6c990 a2=0x3d25 a3=0x0 items=3 ppid=1 pid=15653 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null) type=AVC msg=audit(05/07/2018 12:10:03.524:360) : avc: denied { dac_override } for pid=15653 comm=haproxy capability=dac_override scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=0 ----
*** Bug 1580054 has been marked as a duplicate of this bug. ***
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.