HAProxy not workign with SELinux enforcing



  • I have a new HAProxy setup for a client to proxy Exchange and it workds great as long as SElinux is set to permissive.

    What is the best way to troubleshoot?

    I can run semanage or sealert or whatever and just allow what it finds, but I want to plan this for the next deployment.



  • @jaredbusch said in HAProxy not workign with SELinux enforcing:

    I have a new HAProxy setup for a client to proxy Exchange and it workds great as long as SElinux is set to permissive.

    What is the best way to troubleshoot?

    I can run semanage or sealert or whatever and just allow what it finds, but I want to plan this for the next deployment.

    I ran into this as well.





  • I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show?



  • @stacksofplates said in HAProxy not workign with SELinux enforcing:

    I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show?

    Dunno, because i have not installed those tools yet. Will be doing so tongiht when I troubleshoot.



  • well fuck.. it is the cert...

    Raw Audit Messages
    type=AVC msg=audit(1510032895.947:1476): avc:  denied  { read } for  pid=28096 comm="haproxy" name="ssub.domain.com.pem" dev="dm-0" ino=16962980 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
    


  • Now I know why I didn't have this problem on another install I did.

    That system only has a single cert setup from the local Exchange server. The location I dropped it must already have permissions.

    But this server I have that Exchange cert (no errors) and this cert generated by a cat command after LE runs.

    I ran that cat command the first time from the root user home directory and then moved it.



  • @jaredbusch Does this mean you need to only change permissions on the cert file?



  • @momurda said in HAProxy not workign with SELinux enforcing:

    @jaredbusch Does this mean you need to only change permissions on the cert file?

    I will delete it and recreate it directly into the right location and make sure it has the right permissions.

    Because this will have to become part of a script to ensure LE updates going forward.

    HAProxy does not work with LE because HAProxy requires the cert to be in a single combined file and LE doesn't to that.



  • Hrm. my ctrl+R search shows I did it right into the directory. But I did manually copy it once first. I bet overwriting does not fix SELinux context?

    cat /etc/letsencrypt/live/pbx.domain.com/fullchain.pem /etc/letsencrypt/live/pbx.domain.com/privkey.pem > /etc/haproxy/certs/pbx.domain.com.pem
    


  • Cleared the audit log (moved it) and then rebooted the server again. Only this now.

    No idea what this means. Does anyone else?

    [root@exchangeproxy ~]# sealert -a /var/log/audit/audit.log 
    100% done
    found 1 alerts in /var/log/audit/audit.log
    --------------------------------------------------------------------------------
    
    SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy.
    
    *****  Plugin catchall (100. confidence) suggests   **************************
    
    If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default.
    Then you should report this as a bug.
    You can generate a local policy module to allow this access.
    Do
    allow this access for now by executing:
    # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
    # semodule -X 300 -i my-haproxysystemd.pp
    
    
    Additional Information:
    Source Context                system_u:system_r:haproxy_t:s0
    Target Context                system_u:object_r:haproxy_exec_t:s0
    Target Objects                /usr/sbin/haproxy [ file ]
    Source                        haproxy-systemd
    Source Path                   haproxy-systemd
    Port                          <Unknown>
    Host                          <Unknown>
    Source RPM Packages           
    Target RPM Packages           haproxy-1.7.9-1.fc26.x86_64
    Policy RPM                    selinux-policy-3.13.1-260.13.fc26.noarch
    Selinux Enabled               True
    Policy Type                   targeted
    Enforcing Mode                Enforcing
    Host Name                     exchangeproxy.domain.local
    Platform                      Linux exchangeproxy.domain.local
                                  4.13.9-200.fc26.x86_64 #1 SMP Mon Oct 23 13:52:45
                                  UTC 2017 x86_64 x86_64
    Alert Count                   1
    First Seen                    2017-11-27 18:33:37 CST
    Last Seen                     2017-11-27 18:33:37 CST
    Local ID                      39e99f05-e873-4b45-bbdb-029da98dac90
    
    Raw Audit Messages
    type=AVC msg=audit(1511829217.493:100): avc:  denied  { execute_no_trans } for  pid=630 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=8718069 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0
    
    
    Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans
    
    [root@exchangeproxy ~]# 
    


  • Obviously, I can run the above audit2allow and make it work, but that doesn't help me with the next install. I have to make it fail once and install the setroubleshoot before I can fix it under that scenario.



  • @jaredbusch said in HAProxy not workign with SELinux enforcing:

    execute_no_trans

    Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.



  • What is the context type on the cert vs the content type of the directory?



  • @stacksofplates said in HAProxy not workign with SELinux enforcing:

    What is the context type on the cert vs the content type of the directory?

    I recreated the cert in the same directory as the other and that problem went away.

    They are both in /etc/pki/tls/certs now

    -rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 5217 Nov 27 18:26 pbx.domain.com.pem
    -rw-------. 1 root root unconfined_u:object_r:cert_t:s0 3659 Oct  9 21:15 remote.domain.com.pem
    
    


  • @stacksofplates said in HAProxy not workign with SELinux enforcing:

    @jaredbusch said in HAProxy not workign with SELinux enforcing:

    execute_no_trans

    Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.

    Looks like I am not alone.
    https://bugzilla.redhat.com/show_bug.cgi?id=1447800



  • @jaredbusch said in HAProxy not workign with SELinux enforcing:

    @stacksofplates said in HAProxy not workign with SELinux enforcing:

    @jaredbusch said in HAProxy not workign with SELinux enforcing:

    execute_no_trans

    Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.

    Looks like I am not alone.
    https://bugzilla.redhat.com/show_bug.cgi?id=1447800

    and fuck.. it was fixed and pushed live on the 15th.

    0_1511830466302_97500aa8-dd0a-4fc3-9573-0ff4d25d108e-image.png

    Apparently i never setup this server to auto update...



  • @jaredbusch said in HAProxy not workign with SELinux enforcing:

    Apparently i never setup this server to auto update...

    Ayup.....

    [root@exchangeproxy ~]# dnf -y update
    Last metadata expiration check: 0:08:45 ago on Mon 27 Nov 2017 06:44:36 PM CST.
    Dependencies resolved.
    ==================================================================================================================================
     Package                                   Arch                  Version                            Repository               Size
    ==================================================================================================================================
    
    <snip>
    
    Upgrading:
     selinux-policy                            noarch                3.13.1-260.14.fc26                 updates                 508 k
     selinux-policy-targeted                   noarch                3.13.1-260.14.fc26                 updates                 9.4 M
    
    <snip>
    
    Transaction Summary
    ==================================================================================================================================
    Install   3 Packages
    Upgrade  43 Packages
    Remove    3 Packages
    
    

Log in to reply