Bug 1600578 - SELinux prevents haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy
Summary: SELinux prevents haproxy-systemd from 'execute_no_trans' accesses on the file...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: 7.6
Assignee: Lukas Vrabec
QA Contact: Milos Malik
URL:
Whiteboard: abrt_hash:9266a3699f0ed3d37343286ac47...
: 1607759 (view as bug list)
Depends On: 1600434
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-12 14:15 UTC by Milos Malik
Modified: 2018-10-30 10:07 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1447800
Environment:
Last Closed: 2018-10-30 10:06:46 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:3111 None None None 2018-10-30 10:07:19 UTC

Description Milos Malik 2018-07-12 14:15:47 UTC
+++ This bug was initially created as a clone of Bug #1447800 +++

Problem description:
the haproxy service does not start

NVRs:
haproxy-1.5.18-7.el7.x86_64
selinux-policy-3.13.1-207.el7.noarch
selinux-policy-devel-3.13.1-207.el7.noarch
selinux-policy-doc-3.13.1-207.el7.noarch
selinux-policy-minimum-3.13.1-207.el7.noarch
selinux-policy-mls-3.13.1-207.el7.noarch
selinux-policy-sandbox-3.13.1-207.el7.noarch
selinux-policy-targeted-3.13.1-207.el7.noarch

1) Install haproxy 
sudo dnf install haproxy

2) Start the service
sudo systemctl start haproxy

haproxy doesn't start
systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST; 2min 26s ago
  Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE (code=exited, status=1/FAILURE)
  Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS)
 Main PID: 11304 (code=exited, status=1/FAILURE)

May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load Balancer...
May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load Balancer.
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again later.
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: exit, haproxy RC=1
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main process exited, code=exited, status=1/FAILURE
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit entered failed state.
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed with result 'exit-code'.

journalctl reports:

May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy. For complete SELinux messages. run sealert -l 254e4717-9e9f-4d83-bc28-3abc60097348
SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
# semodule -X 300 -i my-haproxysystemd.pp

Additional Information:
Source Context                system_u:system_r:haproxy_t:s0
Target Context                system_u:object_r:haproxy_exec_t:s0
Target Objects                /usr/sbin/haproxy [ file ]
Source                        haproxy-systemd
Source Path                   haproxy-systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           haproxy-1.7.3-2.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.0-0.rc8.git0.1.fc26.x86_64 #1
                              SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-05-03 22:55:52 CEST
Last Seen                     2017-05-03 22:59:11 CEST
Local ID                      254e4717-9e9f-4d83-bc28-3abc60097348

Raw Audit Messages
type=AVC msg=audit(1493845151.171:584): avc:  denied  { execute_no_trans } for  pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=563219 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0


Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans

Version-Release number of selected component:
selinux-policy-3.13.1-251.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
type:           libreport

--- Additional comment from Erik Logtenberg on 2017-07-22 12:11:09 EDT ---

Same here. Already a fix available?

--- Additional comment from Paramjit Oberoi on 2017-09-08 11:50:36 EDT ---

Me too.

--- Additional comment from Erik Logtenberg on 2017-09-10 07:29:18 EDT ---

So I mean, this simple module fixes it of course:


module fix_haproxy 1.0;

require {
        type haproxy_exec_t;
        type haproxy_t;
        class file execute_no_trans;
}

#============= haproxy_t ==============
allow haproxy_t haproxy_exec_t:file execute_no_trans;

Would be nice if the policy would be updated to include this permission, as HAProxy cannot do some of the more fancy stuff without this. Or at least make it a boolean or something.

Comment 1 Radek Bíba 2018-07-24 08:31:07 UTC
*** Bug 1607759 has been marked as a duplicate of this bug. ***

Comment 2 Naga Ravi Chaitanya Elluri 2018-07-26 21:20:41 UTC
(In reply to Milos Malik from comment #0)
> +++ This bug was initially created as a clone of Bug #1447800 +++
> 
> Problem description:
> the haproxy service does not start
> 
> NVRs:
> haproxy-1.5.18-7.el7.x86_64
> selinux-policy-3.13.1-207.el7.noarch
> selinux-policy-devel-3.13.1-207.el7.noarch
> selinux-policy-doc-3.13.1-207.el7.noarch
> selinux-policy-minimum-3.13.1-207.el7.noarch
> selinux-policy-mls-3.13.1-207.el7.noarch
> selinux-policy-sandbox-3.13.1-207.el7.noarch
> selinux-policy-targeted-3.13.1-207.el7.noarch
> 
> 1) Install haproxy 
> sudo dnf install haproxy
> 
> 2) Start the service
> sudo systemctl start haproxy
> 
> haproxy doesn't start
> systemctl status haproxy
> ● haproxy.service - HAProxy Load Balancer
>    Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor
> preset: disabled)
>    Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST;
> 2min 26s ago
>   Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p
> $PIDFILE (code=exited, status=1/FAILURE)
>   Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q
> (code=exited, status=0/SUCCESS)
>  Main PID: 11304 (code=exited, status=1/FAILURE)
> 
> May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load
> Balancer...
> May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load
> Balancer.
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f
> /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again
> later.
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: exit, haproxy RC=1
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main
> process exited, code=exited, status=1/FAILURE
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit
> entered failed state.
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed
> with result 'exit-code'.
> 
> journalctl reports:
> 
> May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is
> preventing haproxy-systemd from execute_no_trans access on the file
> /usr/sbin/haproxy. For complete SELinux messages. run sealert -l
> 254e4717-9e9f-4d83-bc28-3abc60097348
> SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on
> the file /usr/sbin/haproxy.
> 
> *****  Plugin catchall (100. confidence) suggests  
> **************************
> 
> If you believe that haproxy-systemd should be allowed execute_no_trans
> access on the haproxy file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
> # semodule -X 300 -i my-haproxysystemd.pp
> 
> Additional Information:
> Source Context                system_u:system_r:haproxy_t:s0
> Target Context                system_u:object_r:haproxy_exec_t:s0
> Target Objects                /usr/sbin/haproxy [ file ]
> Source                        haproxy-systemd
> Source Path                   haproxy-systemd
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages           
> Target RPM Packages           haproxy-1.7.3-2.fc26.x86_64
> Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     (removed)
> Platform                      Linux (removed)
> 4.11.0-0.rc8.git0.1.fc26.x86_64 #1
>                               SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64
> Alert Count                   3
> First Seen                    2017-05-03 22:55:52 CEST
> Last Seen                     2017-05-03 22:59:11 CEST
> Local ID                      254e4717-9e9f-4d83-bc28-3abc60097348
> 
> Raw Audit Messages
> type=AVC msg=audit(1493845151.171:584): avc:  denied  { execute_no_trans }
> for  pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0"
> ino=563219 scontext=system_u:system_r:haproxy_t:s0
> tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0
> 
> 
> Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-251.fc26.noarch
> 
> Additional info:
> component:      selinux-policy
> reporter:       libreport-2.9.1
> hashmarkername: setroubleshoot
> kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
> type:           libreport
> 
> --- Additional comment from Erik Logtenberg on 2017-07-22 12:11:09 EDT ---
> 
> Same here. Already a fix available?
> 
> --- Additional comment from Paramjit Oberoi on 2017-09-08 11:50:36 EDT ---
> 
> Me too.
> 
> --- Additional comment from Erik Logtenberg on 2017-09-10 07:29:18 EDT ---
> 
> So I mean, this simple module fixes it of course:
> 
> 
> module fix_haproxy 1.0;
> 
> require {
>         type haproxy_exec_t;
>         type haproxy_t;
>         class file execute_no_trans;
> }
> 
> #============= haproxy_t ==============
> allow haproxy_t haproxy_exec_t:file execute_no_trans;
> 
> Would be nice if the policy would be updated to include this permission, as
> HAProxy cannot do some of the more fancy stuff without this. Or at least
> make it a boolean or something.

Comment 6 errata-xmlrpc 2018-10-30 10:06:46 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111


Note You need to log in before you can comment on or make changes to this bug.