From a7c1ed971d72bc15825579a7b7302356e87ee06a Mon Sep 17 00:00:00 2001 From: Major Hayden Date: Tue, 27 Sep 2016 15:17:32 -0500 Subject: [PATCH] Allow haproxy to bind to any port in CentOS This patch allows haproxy to bind to any port without SELinux denying the access. Although this isn't ideal, we can load up some custom SELinux policy later and turn this boolean off. Closes-bug: 1628266 Change-Id: I3cdbf25c90b2c06d9698e1cd9679d04e5690e367 --- bindep.txt | 1 + .../haproxy-selinux-all-ports-4094eed48f2bfbca.yaml | 4 ++++ tasks/haproxy_service_config.yml | 12 ++++++++++++ 3 files changed, 17 insertions(+) create mode 100644 releasenotes/notes/haproxy-selinux-all-ports-4094eed48f2bfbca.yaml diff --git a/bindep.txt b/bindep.txt index fe58925..d860543 100644 --- a/bindep.txt +++ b/bindep.txt @@ -28,6 +28,7 @@ openssl-devel [platform:rpm] # For SELinux libselinux-python [platform:rpm] +libsemanage-python [platform:rpm] # For SSL SNI support python-pyasn1 [platform:dpkg] diff --git a/releasenotes/notes/haproxy-selinux-all-ports-4094eed48f2bfbca.yaml b/releasenotes/notes/haproxy-selinux-all-ports-4094eed48f2bfbca.yaml new file mode 100644 index 0000000..f4bbe99 --- /dev/null +++ b/releasenotes/notes/haproxy-selinux-all-ports-4094eed48f2bfbca.yaml @@ -0,0 +1,4 @@ +--- +fixes: + - The haproxy daemon is now able to bind to any port on CentOS 7. The + ``haproxy_connect_any`` SELinux boolean is now set to ``on``. diff --git a/tasks/haproxy_service_config.yml b/tasks/haproxy_service_config.yml index 0afa280..2b7820a 100644 --- a/tasks/haproxy_service_config.yml +++ b/tasks/haproxy_service_config.yml @@ -27,3 +27,15 @@ notify: Restart haproxy tags: - haproxy-service-config + +- name: Prevent SELinux from preventing haproxy from binding to arbitrary ports + seboolean: + name: haproxy_connect_any + state: yes + persistent: yes + tags: + - haproxy-service-config + notify: + - Restart haproxy + when: + - ansible_pkg_mgr == 'yum'