Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1643560 - selinux breaks haproxy basic auth when using nbthread
Summary: selinux breaks haproxy basic auth when using nbthread
Keywords:
Status: CLOSED DUPLICATE of bug 1643941
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 29
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-10-26 14:37 UTC by Robin
Modified: 2018-10-29 13:47 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-29 13:47:26 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robin 2018-10-26 14:37:34 UTC 
Description of problem: When running haproxy with the `nbthread` directive in the configuration selinux breaks the `http-request auth` functionality.


Version-Release number of selected component (if applicable): haproxy-1.8.14


How reproducible: Always


Steps to Reproduce:
1. git clone https://github.com/rbjorklin/selinux-haproxy-bug.git
2. ./setup29.sh
3. visit http://localhost:8080/
4. enter credentials test/test

Actual results: Credential popup keeps reappearing.


Expected results: Proceeds to loading page correctly.


Additional info: The above works when `setenforce 0` is executed. No selinux denials are created even with `semodule -DB`.
The problem also appears under Fedora 28.
Comment 1 Milos Malik 2018-10-29 12:44:56 UTC 
Could you collect SELinux denials, which appeared on your machine as result of the reproducer, and attach them here?

# ausearch -m avc -m user_avc -m selinux_err -m user_selinux_err -i -ts today

The denials will help us understand where the problem is.

Thank you.
Comment 2 Robin 2018-10-29 13:47:26 UTC 
I'm closing this one and setting haproxy as the target component instead of selinux-policy. Some further testing on my end showed that the problem did appear with selinux turned off after all.

*** This bug has been marked as a duplicate of bug 1643941 ***
Note You need to log in before you can comment on or make changes to this bug.