Allow haproxy to bind to any port in CentOS

This patch allows haproxy to bind to any port without SELinux denying the access. Although this isn't ideal, we can load up some custom SELinux policy later and turn this boolean off. Closes-bug: 1628266 Change-Id: I3cdbf25c90b2c06d9698e1cd9679d04e5690e367
2016-09-27 15:17:32 -05:00 · 2016-09-27 15:17:32 -05:00 · a7c1ed971d
commit a7c1ed971d
parent 6bf9f72502
3 changed files with 17 additions and 0 deletions
--- a/bindep.txt
+++ b/bindep.txt
@ -28,6 +28,7 @@ openssl-devel     [platform:rpm]

 # For SELinux
 libselinux-python [platform:rpm]
+libsemanage-python [platform:rpm]

 # For SSL SNI support
 python-pyasn1               [platform:dpkg]
--- a/releasenotes/notes/haproxy-selinux-all-ports-4094eed48f2bfbca.yaml
+++ b/releasenotes/notes/haproxy-selinux-all-ports-4094eed48f2bfbca.yaml
@ -0,0 +1,4 @@
+---
+fixes:
+  - The haproxy daemon is now able to bind to any port on CentOS 7. The
+    ``haproxy_connect_any`` SELinux boolean is now set to ``on``.
--- a/tasks/haproxy_service_config.yml
+++ b/tasks/haproxy_service_config.yml
@ -27,3 +27,15 @@
  notify: Restart haproxy
  tags:
    - haproxy-service-config
+
+- name: Prevent SELinux from preventing haproxy from binding to arbitrary ports
+  seboolean:
+    name: haproxy_connect_any
+    state: yes
+    persistent: yes
+  tags:
+    - haproxy-service-config
+  notify:
+    - Restart haproxy
+  when:
+    - ansible_pkg_mgr == 'yum'