Description of problem: Selinux policy prevents caddy start Version-Release number of selected component (if applicable): Caddy 0.11.0 (unofficial) Fedora release 27 (Twenty Seven) Name : selinux-policy-targeted Version : 3.13.1 Release : 283.34.fc27 How reproducible: always Steps to Reproduce: 1. Install caddy on fedora 2. systemctl start caddy 3. systemctl status caddy (observe failed) 4. journalctl -u caddy (observe that it failed) 5. tail -n 1000 /var/log/audit/audit.log | grep caddy (observe avc denies) Actual results: crashes Expected results: not crashing Additional info: Bug was initially posted by me here it contains more information and my fix for it: https://github.com/mholt/caddy/issues/2203#issuecomment-407844823 avc: denied { mounton } for pid=6534 comm="(caddy)" path="/var/lib/caddy" dev="vda1" ino=270438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=dir permissive=0 avc: denied { read } for pid=6534 comm="caddy" name="somaxconn" dev="proc" ino=18026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0 avc: denied { mounton } for pid=6540 comm="(caddy)" path="/var/lib/caddy" dev="vda1" ino=270438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=dir permissive=0 avc: denied { read } for pid=6540 comm="caddy" name="somaxconn" dev="proc" ino=18026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
I completely forgot to add (it's in the original report), the binds on UDP 80/443 are due to QUIC, which is enabled here: # /etc/systemd/system/caddy.service.d/override.conf [Service] ExecStart= ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -log stdout -root /tmp -quic -agree
Currently caddy is reusing httpd file labels to function with selinux enforcing. https://src.fedoraproject.org/rpms/caddy/c/b85070ce0561800bcb5a2eeec08f5896786e2f68 That approach has the benefit of not having to maintain a caddy-specific policy. You've discovered a drawback to that approach, which is that selinux doesn't think that httpd_exec_t type should be binding to 80/udp and 443/udp. I was hoping that I could just report this as bug on the httpd policy, but then I discovered that httpd doesn't support QUIC, so it probably wouldn't get much traction. I'm going to do a bit more research and see what the best path forward would be.
caddy-0.11.0-3.el7 has been submitted as an update to Fedora EPEL 7. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-960cae316e
caddy-0.11.0-3.fc29 has been submitted as an update to Fedora 29. https://bodhi.fedoraproject.org/updates/FEDORA-2018-3f9079e7b8
caddy-0.11.0-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-20468c2bd6
caddy-0.11.0-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-ccc928e047
caddy-0.11.0-3.fc29 has been pushed to the Fedora 29 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-3f9079e7b8
caddy-0.11.0-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-ccc928e047
caddy-0.11.0-3.el7 has been pushed to the Fedora EPEL 7 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2018-960cae316e
caddy-0.11.0-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-20468c2bd6
caddy-0.11.0-3.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.
caddy-0.11.0-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
caddy-0.11.0-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
caddy-0.11.0-3.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.