HAProxy not workign with SELinux enforcing

JaredBusch

@stacksofplates said in HAProxy not workign with SELinux enforcing:

I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show?

Dunno, because i have not installed those tools yet. Will be doing so tongiht when I troubleshoot.

JaredBusch

well fuck.. it is the cert...

Raw Audit Messages
type=AVC msg=audit(1510032895.947:1476): avc:  denied  { read } for  pid=28096 comm="haproxy" name="ssub.domain.com.pem" dev="dm-0" ino=16962980 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1

JaredBusch

Now I know why I didn't have this problem on another install I did.

That system only has a single cert setup from the local Exchange server. The location I dropped it must already have permissions.

But this server I have that Exchange cert (no errors) and this cert generated by a cat command after LE runs.

I ran that cat command the first time from the root user home directory and then moved it.

momurda

@jaredbusch Does this mean you need to only change permissions on the cert file?

JaredBusch

@momurda said in HAProxy not workign with SELinux enforcing:

@jaredbusch Does this mean you need to only change permissions on the cert file?

I will delete it and recreate it directly into the right location and make sure it has the right permissions.

Because this will have to become part of a script to ensure LE updates going forward.

HAProxy does not work with LE because HAProxy requires the cert to be in a single combined file and LE doesn't to that.

JaredBusch

Hrm. my ctrl+R search shows I did it right into the directory. But I did manually copy it once first. I bet overwriting does not fix SELinux context?

cat /etc/letsencrypt/live/pbx.domain.com/fullchain.pem /etc/letsencrypt/live/pbx.domain.com/privkey.pem > /etc/haproxy/certs/pbx.domain.com.pem

JaredBusch

Cleared the audit log (moved it) and then rebooted the server again. Only this now.

No idea what this means. Does anyone else?

[root@exchangeproxy ~]# sealert -a /var/log/audit/audit.log 
100% done
found 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd
# semodule -X 300 -i my-haproxysystemd.pp


Additional Information:
Source Context                system_u:system_r:haproxy_t:s0
Target Context                system_u:object_r:haproxy_exec_t:s0
Target Objects                /usr/sbin/haproxy [ file ]
Source                        haproxy-systemd
Source Path                   haproxy-systemd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages           
Target RPM Packages           haproxy-1.7.9-1.fc26.x86_64
Policy RPM                    selinux-policy-3.13.1-260.13.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     exchangeproxy.domain.local
Platform                      Linux exchangeproxy.domain.local
                              4.13.9-200.fc26.x86_64 #1 SMP Mon Oct 23 13:52:45
                              UTC 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-11-27 18:33:37 CST
Last Seen                     2017-11-27 18:33:37 CST
Local ID                      39e99f05-e873-4b45-bbdb-029da98dac90

Raw Audit Messages
type=AVC msg=audit(1511829217.493:100): avc:  denied  { execute_no_trans } for  pid=630 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=8718069 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0


Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans

[root@exchangeproxy ~]#

JaredBusch

Obviously, I can run the above audit2allow and make it work, but that doesn't help me with the next install. I have to make it fail once and install the setroubleshoot before I can fix it under that scenario.

stacksofplates

@jaredbusch said in HAProxy not workign with SELinux enforcing:

execute_no_trans

Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.

stacksofplates

What is the context type on the cert vs the content type of the directory?

JaredBusch

@stacksofplates said in HAProxy not workign with SELinux enforcing:

What is the context type on the cert vs the content type of the directory?

I recreated the cert in the same directory as the other and that problem went away.

They are both in /etc/pki/tls/certs now

-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 5217 Nov 27 18:26 pbx.domain.com.pem
-rw-------. 1 root root unconfined_u:object_r:cert_t:s0 3659 Oct  9 21:15 remote.domain.com.pem

JaredBusch

@stacksofplates said in HAProxy not workign with SELinux enforcing:

@jaredbusch said in HAProxy not workign with SELinux enforcing:

execute_no_trans

Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.

Looks like I am not alone.
https://bugzilla.redhat.com/show_bug.cgi?id=1447800

JaredBusch

@jaredbusch said in HAProxy not workign with SELinux enforcing:

@stacksofplates said in HAProxy not workign with SELinux enforcing:

@jaredbusch said in HAProxy not workign with SELinux enforcing:

execute_no_trans

Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that.

Looks like I am not alone.
https://bugzilla.redhat.com/show_bug.cgi?id=1447800

and fuck.. it was fixed and pushed live on the 15th.

0_1511830466302_97500aa8-dd0a-4fc3-9573-0ff4d25d108e-image.png

Apparently i never setup this server to auto update...

JaredBusch

@jaredbusch said in HAProxy not workign with SELinux enforcing:

Apparently i never setup this server to auto update...

Ayup.....

[root@exchangeproxy ~]# dnf -y update
Last metadata expiration check: 0:08:45 ago on Mon 27 Nov 2017 06:44:36 PM CST.
Dependencies resolved.
==================================================================================================================================
 Package                                   Arch                  Version                            Repository               Size
==================================================================================================================================

<snip>

Upgrading:
 selinux-policy                            noarch                3.13.1-260.14.fc26                 updates                 508 k
 selinux-policy-targeted                   noarch                3.13.1-260.14.fc26                 updates                 9.4 M

<snip>

Transaction Summary
==================================================================================================================================
Install   3 Packages
Upgrade  43 Packages
Remove    3 Packages