Hi all,
I'm load balancing 4 mysql databases using HAProxy. The setup seems to be
working pretty well. Except I keep seeing these messages turning up in
syslog:
Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400
audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801
comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0
tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket
It looks like SELinux is denying haproxy the ability to connect to the
database. I haven't seen any real problems on the site that uses the
database. But I was just wondering if this message looks familiar to
anyone. Or if it looks like something I should try to correct.
I tried grepping through audit.log for haproxy and piping it to audit2why,
but I don't get any useful response back:
[root at db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M haproxy
Nothing to do
I'm open to your thoughts and opinions!
Thanks,
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
Am 12.03.2016 um 23:18 schrieb Tim Dunphy:> Hi all, > > I'm load balancing 4 mysql databases using HAProxy. The setup seems to be > working pretty well. Except I keep seeing these messages turning up in > syslog: > > > Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 > audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 > comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 > tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket > > It looks like SELinux is denying haproxy the ability to connect to the > database. I haven't seen any real problems on the site that uses the > database. But I was just wondering if this message looks familiar to > anyone. Or if it looks like something I should try to correct. > > I tried grepping through audit.log for haproxy and piping it to audit2why, > but I don't get any useful response back: > > [root at db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M haproxy > Nothing to do > > I'm open to your thoughts and opinions! > > Thanks, > Timsetsebool -P haproxy_connect_any 1 Alexander
for more information : https://www.mankier.com/8/haproxy_selinux On Sun, Mar 13, 2016 at 2:05 AM, Alexander Dalloz <ad+lists at uni-x.org> wrote:> Am 12.03.2016 um 23:18 schrieb Tim Dunphy: > >> Hi all, >> >> I'm load balancing 4 mysql databases using HAProxy. The setup seems to be >> working pretty well. Except I keep seeing these messages turning up in >> syslog: >> >> >> Mar 12 22:11:31 db1 kernel: [6058125.959624] type=1400 >> audit(1457820691.824:3029129): avc: denied { name_connect } for pid=801 >> comm="haproxy" dest=7778 scontext=system_u:system_r:haproxy_t:s0 >> tcontext=system_u:object_r:interwise_port_t:s0 tclass=tcp_socket >> >> It looks like SELinux is denying haproxy the ability to connect to the >> database. I haven't seen any real problems on the site that uses the >> database. But I was just wondering if this message looks familiar to >> anyone. Or if it looks like something I should try to correct. >> >> I tried grepping through audit.log for haproxy and piping it to audit2why, >> but I don't get any useful response back: >> >> [root at db1:~] #grep haproxy /var/log/audit/audit.log | audit2why -M >> haproxy >> Nothing to do >> >> I'm open to your thoughts and opinions! >> >> Thanks, >> Tim >> > > > setsebool -P haproxy_connect_any 1 > > Alexander > > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >