1575365 – Haproxy does not start up when stats socket is configured

Bug 1575365 - Haproxy does not start up when stats socket is configured

Summary: Haproxy does not start up when stats socket is configured

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	28
Hardware:	All
OS:	Unspecified
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Lukas Vrabec
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1580054 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-05-06 10:21 UTC by Florian Bezdeka
Modified:	2019-05-29 00:02 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-05-29 00:02:10 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Florian Bezdeka 2018-05-06 10:21:24 UTC

Description of problem:
I updated one of my loadbalancer systems from Fedora 27 to Fedora 28.
haproxy does not start up if a stats socket is configured
The problem is related to SELinux.

Version-Release number of selected component (if applicable):
1.8.8 2018/04/19

How reproducible:
Try starting haproxy using systemctl when an stats socket is configured.


Steps to Reproduce:
1. Configure a stat socket
   Inside "global" configuration add:
   stats socket /var/lib/haproxy/stats
2. Try starting the haproxy service
   sudo service haproxy start

Actual results:
The haproxy service does not start up.
SELinux reports an error which can be found in audit log (/var/log/audit/audit.log):

type=AVC msg=audit(1525600976.236:3235): avc:  denied  { dac_override } for  pid=5627 comm="haproxy" capability=1  scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=0


Expected results:
Haproxy should start.

Additional info:
The following type enforcement fixes this issue:

module f28-haproxyfix 1.0;

require {
        type haproxy_t;
        class capability dac_override;
}

#============= haproxy_t ==============
allow haproxy_t self:capability dac_override;

Comment 1 Ryan O'Hara 2018-05-07 13:44:59 UTC

Moving to correct component.

Comment 2 Milos Malik 2018-05-07 16:11:34 UTC

----
type=PROCTITLE msg=audit(05/07/2018 12:10:03.524:360) : proctitle=/usr/sbin/haproxy -W -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid 
type=PATH msg=audit(05/07/2018 12:10:03.524:360) : item=2 name=/var/lib/haproxy/stats.15653.bak nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(05/07/2018 12:10:03.524:360) : item=1 name=/var/lib/haproxy/ inode=262286 dev=fd:01 mode=dir,755 ouid=haproxy ogid=haproxy rdev=00:00 obj=system_u:object_r:haproxy_var_lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=PATH msg=audit(05/07/2018 12:10:03.524:360) : item=0 name=/var/lib/haproxy/stats inode=268029 dev=fd:01 mode=socket,755 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:haproxy_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(05/07/2018 12:10:03.524:360) : cwd=/ 
type=SYSCALL msg=audit(05/07/2018 12:10:03.524:360) : arch=x86_64 syscall=link success=no exit=EACCES(Permission denied) a0=0x55db242df68a a1=0x7ffcbaf6c990 a2=0x3d25 a3=0x0 items=3 ppid=1 pid=15653 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=haproxy exe=/usr/sbin/haproxy subj=system_u:system_r:haproxy_t:s0 key=(null) 
type=AVC msg=audit(05/07/2018 12:10:03.524:360) : avc:  denied  { dac_override } for  pid=15653 comm=haproxy capability=dac_override  scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:system_r:haproxy_t:s0 tclass=capability permissive=0 
----

Comment 3 Lennart Jern 2018-05-21 17:26:06 UTC

*** Bug 1580054 has been marked as a duplicate of this bug. ***

Comment 4 Ben Cotton 2019-05-02 19:17:33 UTC

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 5 Ben Cotton 2019-05-02 19:34:16 UTC

This message is a reminder that Fedora 28 is nearing its end of life.
On 2019-May-28 Fedora will stop maintaining and issuing updates for
Fedora 28. It is Fedora's policy to close all bug reports from releases
that are no longer maintained. At that time this bug will be closed as
EOL if it remains open with a Fedora 'version' of '28'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 28 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 6 Ben Cotton 2019-05-29 00:02:10 UTC

Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.