HAProxy not workign with SELinux enforcing
-
@jaredbusch said in HAProxy not workign with SELinux enforcing:
I have a new HAProxy setup for a client to proxy Exchange and it workds great as long as SElinux is set to permissive.
What is the best way to troubleshoot?
I can run
semanageorsealertor whatever and just allow what it finds, but I want to plan this for the next deployment.I ran into this as well.
-
-
I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show?
-
@stacksofplates said in HAProxy not workign with SELinux enforcing:
I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show?
Dunno, because i have not installed those tools yet. Will be doing so tongiht when I troubleshoot.
-
well fuck.. it is the cert...
Raw Audit Messages type=AVC msg=audit(1510032895.947:1476): avc: denied { read } for pid=28096 comm="haproxy" name="ssub.domain.com.pem" dev="dm-0" ino=16962980 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1 -
Now I know why I didn't have this problem on another install I did.
That system only has a single cert setup from the local Exchange server. The location I dropped it must already have permissions.
But this server I have that Exchange cert (no errors) and this cert generated by a
catcommand after LE runs.I ran that
catcommand the first time from the root user home directory and then moved it. -
@jaredbusch Does this mean you need to only change permissions on the cert file?
-
@momurda said in HAProxy not workign with SELinux enforcing:
@jaredbusch Does this mean you need to only change permissions on the cert file?
I will delete it and recreate it directly into the right location and make sure it has the right permissions.
Because this will have to become part of a script to ensure LE updates going forward.
HAProxy does not work with LE because HAProxy requires the cert to be in a single combined file and LE doesn't to that.
-
Hrm. my ctrl+R search shows I did it right into the directory. But I did manually copy it once first. I bet overwriting does not fix SELinux context?
cat /etc/letsencrypt/live/pbx.domain.com/fullchain.pem /etc/letsencrypt/live/pbx.domain.com/privkey.pem > /etc/haproxy/certs/pbx.domain.com.pem -
Cleared the audit log (moved it) and then rebooted the server again. Only this now.
No idea what this means. Does anyone else?
[root@exchangeproxy ~]# sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd # semodule -X 300 -i my-haproxysystemd.pp Additional Information: Source Context system_u:system_r:haproxy_t:s0 Target Context system_u:object_r:haproxy_exec_t:s0 Target Objects /usr/sbin/haproxy [ file ] Source haproxy-systemd Source Path haproxy-systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages haproxy-1.7.9-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.13.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name exchangeproxy.domain.local Platform Linux exchangeproxy.domain.local 4.13.9-200.fc26.x86_64 #1 SMP Mon Oct 23 13:52:45 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-11-27 18:33:37 CST Last Seen 2017-11-27 18:33:37 CST Local ID 39e99f05-e873-4b45-bbdb-029da98dac90 Raw Audit Messages type=AVC msg=audit(1511829217.493:100): avc: denied { execute_no_trans } for pid=630 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=8718069 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0 Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans [root@exchangeproxy ~]# -
Obviously, I can run the above audit2allow and make it work, but that doesn't help me with the next install. I have to make it fail once and install the
setroubleshootbefore I can fix it under that scenario. -
@jaredbusch said in HAProxy not workign with SELinux enforcing:
execute_no_trans
Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.
-
What is the context type on the cert vs the content type of the directory?
-
@stacksofplates said in HAProxy not workign with SELinux enforcing:
What is the context type on the cert vs the content type of the directory?
I recreated the cert in the same directory as the other and that problem went away.
They are both in
/etc/pki/tls/certsnow-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 5217 Nov 27 18:26 pbx.domain.com.pem -rw-------. 1 root root unconfined_u:object_r:cert_t:s0 3659 Oct 9 21:15 remote.domain.com.pem -
@stacksofplates said in HAProxy not workign with SELinux enforcing:
@jaredbusch said in HAProxy not workign with SELinux enforcing:
execute_no_trans
Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.
Looks like I am not alone.
https://bugzilla.redhat.com/show_bug.cgi?id=1447800 -
@jaredbusch said in HAProxy not workign with SELinux enforcing:
@stacksofplates said in HAProxy not workign with SELinux enforcing:
@jaredbusch said in HAProxy not workign with SELinux enforcing:
execute_no_trans
Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.
Looks like I am not alone.
https://bugzilla.redhat.com/show_bug.cgi?id=1447800and fuck.. it was fixed and pushed live on the 15th.
Apparently i never setup this server to auto update...
-
@jaredbusch said in HAProxy not workign with SELinux enforcing:
Apparently i never setup this server to auto update...
Ayup.....
[root@exchangeproxy ~]# dnf -y update Last metadata expiration check: 0:08:45 ago on Mon 27 Nov 2017 06:44:36 PM CST. Dependencies resolved. ================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================== <snip> Upgrading: selinux-policy noarch 3.13.1-260.14.fc26 updates 508 k selinux-policy-targeted noarch 3.13.1-260.14.fc26 updates 9.4 M <snip> Transaction Summary ================================================================================================================================== Install 3 Packages Upgrade 43 Packages Remove 3 Packages
