Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1597076
Summary: | selinux preventing haproxy starting (/var/lib/haproxy/stats deny) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ian Donaldson <iand> |
Component: | haproxy | Assignee: | Ryan O'Hara <rohara> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 28 | CC: | bperkins, carl, dwalsh, jeremy, lvrabec, mgrepl, plautrba, pmoore, rohara |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | haproxy-1.8.12-2.fc28 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-07-23 21:24:06 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ian Donaldson
2018-07-02 02:01:42 UTC
Hi, This looks more like packaging issue than SELinux policy one. Moving to proper component. For more info see: https://lukas-vrabec.com/index.php/2018/07/03/why-do-you-see-dac_override-selinux-denials/ I just recreated this problem on F28. The explanation if the blog post linked in comment #1 seems reasonable. In this case haproxy daemon is not running as root:root but rather haproxy:haproxy. The directory where the UNIX socket is being created (/var/lib/haproxy/) is correctly owned by haproxy:haproxy. I set SELinux to permissive, ran the test again and noticed that the actual stats socket (/var/lib/haproxy/stats) is owned by root:root. I think that is the problem. The haproxy process is running as haproxy:haproxy yet is attempting to create a UNIX socket owned by root:root. Don't have a good solution at the moment. The solution is to change the owner of /var/lib/haproxy/ to root:root instead of haproxy:haproxy. This allowed haproxy to start without error using a stats socket. I'll fix the ownership in the spec file and get an update out soon. Thanks for reporting this. (In reply to Ryan O'Hara from comment #3) > The solution is to change the owner of /var/lib/haproxy/ to root:root > instead of haproxy:haproxy. This allowed haproxy to start without error > using a stats socket. I'll fix the ownership in the spec file and get an > update out soon. Thanks for reporting this. Note that the /var/lib/haproxy/ is the home directory for the haproxy user, which is created at install time. I am not sure if it is acceptable to change this directory's owner/group to anything other than 'haproxy'. I will need to investigate. haproxy-1.8.12-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-941d094624 haproxy-1.8.12-2.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-941d094624 haproxy-1.8.12-2.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-941d094624 haproxy-1.8.12-2.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. |