Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1600578

Summary: SELinux prevents haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: bperkins, hannsj_uhl, hongkliu, lvrabec, mgrepl, mmalik, nelluri, plautrba, rbiba, ssekidde
Target Milestone: rc   
Target Release: 7.6   
Hardware: All   
OS: Linux   
Whiteboard: abrt_hash:9266a3699f0ed3d37343286ac4795d0660b6c4aa4edd64f04749b4fc0a12f675;VARIANT_ID=workstation;
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1447800 Environment:
Last Closed: 2018-10-30 10:06:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1600434    
Bug Blocks:    

Description Milos Malik 2018-07-12 14:15:47 UTC 
+++ This bug was initially created as a clone of Bug #1447800 +++

Problem description:
the haproxy service does not start

NVRs:
haproxy-1.5.18-7.el7.x86_64
selinux-policy-3.13.1-207.el7.noarch
selinux-policy-devel-3.13.1-207.el7.noarch
selinux-policy-doc-3.13.1-207.el7.noarch
selinux-policy-minimum-3.13.1-207.el7.noarch
selinux-policy-mls-3.13.1-207.el7.noarch
selinux-policy-sandbox-3.13.1-207.el7.noarch
selinux-policy-targeted-3.13.1-207.el7.noarch

1) Install haproxy 
sudo dnf install haproxy

2) Start the service
sudo systemctl start haproxy

haproxy doesn't start
systemctl status haproxy
● haproxy.service - HAProxy Load Balancer
   Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor preset: disabled)
   Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST; 2min 26s ago
  Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p $PIDFILE (code=exited, status=1/FAILURE)
  Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q (code=exited, status=0/SUCCESS)
 Main PID: 11304 (code=exited, status=1/FAILURE)

May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load Balancer...
May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load Balancer.
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again later.
May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]: haproxy-systemd-wrapper: exit, haproxy RC=1
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main process exited, code=exited, status=1/FAILURE
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit entered failed state.
May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed with result 'exit-code'.

journalctl reports:

May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy. For complete SELinux messages. run sealert -l 254e4717-9e9f-4d83-bc28-3abc60097348
SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on the file /usr/sbin/haproxy.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
# semodule -X 300 -i my-haproxysystemd.pp

Additional Information:
Source Context                system_u:system_r:haproxy_t:s0
Target Context                system_u:object_r:haproxy_exec_t:s0
Target Objects                /usr/sbin/haproxy [ file ]
Source                        haproxy-systemd
Source Path                   haproxy-systemd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           haproxy-1.7.3-2.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.11.0-0.rc8.git0.1.fc26.x86_64 #1
                              SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64
Alert Count                   3
First Seen                    2017-05-03 22:55:52 CEST
Last Seen                     2017-05-03 22:59:11 CEST
Local ID                      254e4717-9e9f-4d83-bc28-3abc60097348

Raw Audit Messages
type=AVC msg=audit(1493845151.171:584): avc:  denied  { execute_no_trans } for  pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=563219 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0


Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans

Version-Release number of selected component:
selinux-policy-3.13.1-251.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
type:           libreport

--- Additional comment from Erik Logtenberg on 2017-07-22 12:11:09 EDT ---

Same here. Already a fix available?

--- Additional comment from Paramjit Oberoi on 2017-09-08 11:50:36 EDT ---

Me too.

--- Additional comment from Erik Logtenberg on 2017-09-10 07:29:18 EDT ---

So I mean, this simple module fixes it of course:


module fix_haproxy 1.0;

require {
        type haproxy_exec_t;
        type haproxy_t;
        class file execute_no_trans;
}

#============= haproxy_t ==============
allow haproxy_t haproxy_exec_t:file execute_no_trans;

Would be nice if the policy would be updated to include this permission, as HAProxy cannot do some of the more fancy stuff without this. Or at least make it a boolean or something.
Comment 1 Radek Bíba 2018-07-24 08:31:07 UTC 
*** Bug 1607759 has been marked as a duplicate of this bug. ***
Comment 2 Naga Ravi Chaitanya Elluri 2018-07-26 21:20:41 UTC 
(In reply to Milos Malik from comment #0)
> +++ This bug was initially created as a clone of Bug #1447800 +++
> 
> Problem description:
> the haproxy service does not start
> 
> NVRs:
> haproxy-1.5.18-7.el7.x86_64
> selinux-policy-3.13.1-207.el7.noarch
> selinux-policy-devel-3.13.1-207.el7.noarch
> selinux-policy-doc-3.13.1-207.el7.noarch
> selinux-policy-minimum-3.13.1-207.el7.noarch
> selinux-policy-mls-3.13.1-207.el7.noarch
> selinux-policy-sandbox-3.13.1-207.el7.noarch
> selinux-policy-targeted-3.13.1-207.el7.noarch
> 
> 1) Install haproxy 
> sudo dnf install haproxy
> 
> 2) Start the service
> sudo systemctl start haproxy
> 
> haproxy doesn't start
> systemctl status haproxy
> ● haproxy.service - HAProxy Load Balancer
>    Loaded: loaded (/usr/lib/systemd/system/haproxy.service; disabled; vendor
> preset: disabled)
>    Active: failed (Result: exit-code) since Wed 2017-05-03 22:59:11 CEST;
> 2min 26s ago
>   Process: 11304 ExecStart=/usr/sbin/haproxy-systemd-wrapper -f $CONFIG -p
> $PIDFILE (code=exited, status=1/FAILURE)
>   Process: 11303 ExecStartPre=/usr/sbin/haproxy -f $CONFIG -c -q
> (code=exited, status=0/SUCCESS)
>  Main PID: 11304 (code=exited, status=1/FAILURE)
> 
> May 03 22:59:11 localhost.localdomain systemd[1]: Starting HAProxy Load
> Balancer...
> May 03 22:59:11 localhost.localdomain systemd[1]: Started HAProxy Load
> Balancer.
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: executing /usr/sbin/haproxy -f
> /etc/haproxy/haproxy.cfg -p /run/haproxy.pid -Ds
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: execv(/usr/sbin/haproxy) failed, please try again
> later.
> May 03 22:59:11 localhost.localdomain haproxy-systemd-wrapper[11304]:
> haproxy-systemd-wrapper: exit, haproxy RC=1
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Main
> process exited, code=exited, status=1/FAILURE
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Unit
> entered failed state.
> May 03 22:59:11 localhost.localdomain systemd[1]: haproxy.service: Failed
> with result 'exit-code'.
> 
> journalctl reports:
> 
> May 03 23:03:15 localhost.localdomain setroubleshoot[11308]: SELinux is
> preventing haproxy-systemd from execute_no_trans access on the file
> /usr/sbin/haproxy. For complete SELinux messages. run sealert -l
> 254e4717-9e9f-4d83-bc28-3abc60097348
> SELinux is preventing haproxy-systemd from 'execute_no_trans' accesses on
> the file /usr/sbin/haproxy.
> 
> *****  Plugin catchall (100. confidence) suggests  
> **************************
> 
> If you believe that haproxy-systemd should be allowed execute_no_trans
> access on the haproxy file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
> # semodule -X 300 -i my-haproxysystemd.pp
> 
> Additional Information:
> Source Context                system_u:system_r:haproxy_t:s0
> Target Context                system_u:object_r:haproxy_exec_t:s0
> Target Objects                /usr/sbin/haproxy [ file ]
> Source                        haproxy-systemd
> Source Path                   haproxy-systemd
> Port                          <Unknown>
> Host                          (removed)
> Source RPM Packages           
> Target RPM Packages           haproxy-1.7.3-2.fc26.x86_64
> Policy RPM                    selinux-policy-3.13.1-251.fc26.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     (removed)
> Platform                      Linux (removed)
> 4.11.0-0.rc8.git0.1.fc26.x86_64 #1
>                               SMP Mon Apr 24 15:42:54 UTC 2017 x86_64 x86_64
> Alert Count                   3
> First Seen                    2017-05-03 22:55:52 CEST
> Last Seen                     2017-05-03 22:59:11 CEST
> Local ID                      254e4717-9e9f-4d83-bc28-3abc60097348
> 
> Raw Audit Messages
> type=AVC msg=audit(1493845151.171:584): avc:  denied  { execute_no_trans }
> for  pid=11305 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0"
> ino=563219 scontext=system_u:system_r:haproxy_t:s0
> tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0
> 
> 
> Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans
> 
> Version-Release number of selected component:
> selinux-policy-3.13.1-251.fc26.noarch
> 
> Additional info:
> component:      selinux-policy
> reporter:       libreport-2.9.1
> hashmarkername: setroubleshoot
> kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
> type:           libreport
> 
> --- Additional comment from Erik Logtenberg on 2017-07-22 12:11:09 EDT ---
> 
> Same here. Already a fix available?
> 
> --- Additional comment from Paramjit Oberoi on 2017-09-08 11:50:36 EDT ---
> 
> Me too.
> 
> --- Additional comment from Erik Logtenberg on 2017-09-10 07:29:18 EDT ---
> 
> So I mean, this simple module fixes it of course:
> 
> 
> module fix_haproxy 1.0;
> 
> require {
>         type haproxy_exec_t;
>         type haproxy_t;
>         class file execute_no_trans;
> }
> 
> #============= haproxy_t ==============
> allow haproxy_t haproxy_exec_t:file execute_no_trans;
> 
> Would be nice if the policy would be updated to include this permission, as
> HAProxy cannot do some of the more fancy stuff without this. Or at least
> make it a boolean or something.
Comment 6 errata-xmlrpc 2018-10-30 10:06:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3111