HAProxy not workign with SELinux enforcing
- 
 
- 
 I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show? 
- 
 @stacksofplates said in HAProxy not workign with SELinux enforcing: I'm guessing setting the haproxy_connect_any boolean to on would help. What did your sealert messages show? Dunno, because i have not installed those tools yet. Will be doing so tongiht when I troubleshoot. 
- 
 well fuck.. it is the cert... Raw Audit Messages type=AVC msg=audit(1510032895.947:1476): avc: denied { read } for pid=28096 comm="haproxy" name="ssub.domain.com.pem" dev="dm-0" ino=16962980 scontext=system_u:system_r:haproxy_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=1
- 
 Now I know why I didn't have this problem on another install I did. That system only has a single cert setup from the local Exchange server. The location I dropped it must already have permissions. But this server I have that Exchange cert (no errors) and this cert generated by a catcommand after LE runs.I ran that catcommand the first time from the root user home directory and then moved it.
- 
 @jaredbusch Does this mean you need to only change permissions on the cert file? 
- 
 @momurda said in HAProxy not workign with SELinux enforcing: @jaredbusch Does this mean you need to only change permissions on the cert file? I will delete it and recreate it directly into the right location and make sure it has the right permissions. Because this will have to become part of a script to ensure LE updates going forward. HAProxy does not work with LE because HAProxy requires the cert to be in a single combined file and LE doesn't to that. 
- 
 Hrm. my ctrl+R search shows I did it right into the directory. But I did manually copy it once first. I bet overwriting does not fix SELinux context? cat /etc/letsencrypt/live/pbx.domain.com/fullchain.pem /etc/letsencrypt/live/pbx.domain.com/privkey.pem > /etc/haproxy/certs/pbx.domain.com.pem
- 
 Cleared the audit log (moved it) and then rebooted the server again. Only this now. No idea what this means. Does anyone else? [root@exchangeproxy ~]# sealert -a /var/log/audit/audit.log 100% done found 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing haproxy-systemd from execute_no_trans access on the file /usr/sbin/haproxy. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that haproxy-systemd should be allowed execute_no_trans access on the haproxy file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'haproxy-systemd' --raw | audit2allow -M my-haproxysystemd # semodule -X 300 -i my-haproxysystemd.pp Additional Information: Source Context system_u:system_r:haproxy_t:s0 Target Context system_u:object_r:haproxy_exec_t:s0 Target Objects /usr/sbin/haproxy [ file ] Source haproxy-systemd Source Path haproxy-systemd Port <Unknown> Host <Unknown> Source RPM Packages Target RPM Packages haproxy-1.7.9-1.fc26.x86_64 Policy RPM selinux-policy-3.13.1-260.13.fc26.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name exchangeproxy.domain.local Platform Linux exchangeproxy.domain.local 4.13.9-200.fc26.x86_64 #1 SMP Mon Oct 23 13:52:45 UTC 2017 x86_64 x86_64 Alert Count 1 First Seen 2017-11-27 18:33:37 CST Last Seen 2017-11-27 18:33:37 CST Local ID 39e99f05-e873-4b45-bbdb-029da98dac90 Raw Audit Messages type=AVC msg=audit(1511829217.493:100): avc: denied { execute_no_trans } for pid=630 comm="haproxy-systemd" path="/usr/sbin/haproxy" dev="dm-0" ino=8718069 scontext=system_u:system_r:haproxy_t:s0 tcontext=system_u:object_r:haproxy_exec_t:s0 tclass=file permissive=0 Hash: haproxy-systemd,haproxy_t,haproxy_exec_t,file,execute_no_trans [root@exchangeproxy ~]#
- 
 Obviously, I can run the above audit2allow and make it work, but that doesn't help me with the next install. I have to make it fail once and install the setroubleshootbefore I can fix it under that scenario.
- 
 @jaredbusch said in HAProxy not workign with SELinux enforcing: execute_no_trans Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that. 
- 
 What is the context type on the cert vs the content type of the directory? 
- 
 @stacksofplates said in HAProxy not workign with SELinux enforcing: What is the context type on the cert vs the content type of the directory? I recreated the cert in the same directory as the other and that problem went away. They are both in /etc/pki/tls/certsnow-rw-r--r--. 1 root root unconfined_u:object_r:cert_t:s0 5217 Nov 27 18:26 pbx.domain.com.pem -rw-------. 1 root root unconfined_u:object_r:cert_t:s0 3659 Oct 9 21:15 remote.domain.com.pem
- 
 @stacksofplates said in HAProxy not workign with SELinux enforcing: @jaredbusch said in HAProxy not workign with SELinux enforcing: execute_no_trans Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that. Looks like I am not alone. 
 https://bugzilla.redhat.com/show_bug.cgi?id=1447800
- 
 @jaredbusch said in HAProxy not workign with SELinux enforcing: @stacksofplates said in HAProxy not workign with SELinux enforcing: @jaredbusch said in HAProxy not workign with SELinux enforcing: execute_no_trans Ya this is further than I have had to deal with. I think the execute_no_trans has to deal with transitioning from domains. That's all I know about it. I think for that to work you have to define the entrypoint for the type, but I don't know how to do that. Looks like I am not alone. 
 https://bugzilla.redhat.com/show_bug.cgi?id=1447800and fuck.. it was fixed and pushed live on the 15th.  Apparently i never setup this server to auto update... 
- 
 @jaredbusch said in HAProxy not workign with SELinux enforcing: Apparently i never setup this server to auto update... Ayup..... [root@exchangeproxy ~]# dnf -y update Last metadata expiration check: 0:08:45 ago on Mon 27 Nov 2017 06:44:36 PM CST. Dependencies resolved. ================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================== <snip> Upgrading: selinux-policy noarch 3.13.1-260.14.fc26 updates 508 k selinux-policy-targeted noarch 3.13.1-260.14.fc26 updates 9.4 M <snip> Transaction Summary ================================================================================================================================== Install 3 Packages Upgrade 43 Packages Remove 3 Packages


