Caddy: Selinux policy prevents caddy start

Created on 15 Jun 2018  路  11Comments  路  Source: caddyserver/caddy

1. What version of Caddy are you using (caddy -version)?

Caddy 0.11.0 (unofficial)

Fedora release 27 (Twenty Seven)

Name         : selinux-policy-targeted
Version      : 3.13.1
Release      : 283.34.fc27

2. What are you trying to do?

Start caddy after a yum update

3. What is your entire Caddyfile?

example.com {
    root /var/www/com.example
    import always.conf
    import tls.conf

    # not really relevant to this bug
}

4. How did you run Caddy (give the full command and describe the execution environment)?

Systemd unit (note override to add quic at the bottom):

# /usr/lib/systemd/system/caddy.service
[Unit]
Description=Caddy HTTP/2 web server
Documentation=https://caddyserver.com/docs
After=network.target

[Service]
User=caddy
Group=caddy
Environment=CADDYPATH=/var/lib/caddy
EnvironmentFile=-/etc/caddy/envfile
ExecStartPre=/usr/bin/caddy -conf /etc/caddy/caddy.conf -validate
ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -log stdout -root /tmp -agree
ExecReload=/usr/bin/kill -USR1 $MAINPID
KillMode=mixed
KillSignal=SIGQUIT
TimeoutStopSec=5s
LimitNOFILE=1048576
LimitNPROC=512
PrivateTmp=true
ProtectHome=true
ProtectSystem=strict
ReadWriteDirectories=/var/lib/caddy
AmbientCapabilities=CAP_NET_BIND_SERVICE

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/caddy.service.d/override.conf
[Service]
ExecStart=
ExecStart=/usr/bin/caddy -conf /etc/caddy/caddy.conf -log stdout -root /tmp -quic -agree

5. Please paste any relevant HTTP request(s) here.

Not relevant

6. What did you expect to see?

Caddy should start

7. What did you see instead (give full error messages and/or log)?

These alerts remain in the selinux auth.log:

avc:  denied  { mounton } for  pid=6534 comm="(caddy)" path="/var/lib/caddy" dev="vda1" ino=270438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { read } for  pid=6534 comm="caddy" name="somaxconn" dev="proc" ino=18026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0
avc:  denied  { mounton } for  pid=6540 comm="(caddy)" path="/var/lib/caddy" dev="vda1" ino=270438 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:httpd_var_lib_t:s0 tclass=dir permissive=0
avc:  denied  { read } for  pid=6540 comm="caddy" name="somaxconn" dev="proc" ino=18026 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=0

To fix it the unable to start problem, i have done the following:

  • semanage port -a -t http_port_t -p udp 80
  • semanage port -a -t http_port_t -p udp 443

because of:

avc:  denied  { name_bind } for  pid=6143 comm="caddy" src=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket permissive=0
avc:  denied  { name_bind } for  pid=6225 comm="caddy" src=443 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=udp_socket permissive=0

and also:

  • semanage boolean -m --on httpd_graceful_shutdown

because of:

avc:  denied  { name_connect } for  pid=6143 comm="caddy" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0

The server starts now but audit2allow is suggesting this fix to silence the remaining denies:

#============= httpd_t ==============
allow httpd_t sysctl_net_t:file read;

#============= init_t ==============
allow init_t httpd_var_lib_t:dir mounton;

8. How can someone who is starting from scratch reproduce the bug as minimally as possible?

Probably a clean fedora 27, install caddy, observe startup failure, might need to enable quic

picture Gunni

Most helpful comment

No worries, I just don't want @mholt to get burned out on issues related to the packages that aren't really upstream issues. Selinux stuff is 100% on the distro. Right now I'm re-using the httpd types and policy, but if enough difference pop up that I can't handle with booleans then it may be worth creating a caddy policy.

picture carlwgeorge on 25 Jul 2018
3 👍2

All 11 comments

On a related note, why does quic listen on udp/80?

Gunni picture Gunni on 15 Jun 2018

I don't know anything about selinux. What does this have to do with Caddy, exactly? Other than the fact that selinux is apparently blocking Caddy from functioning?

On a related note, why does quic listen on udp/80?

Great question. Everything I can find on this suggests that it helps client to bypass transparent proxies.

mholt picture mholt on 15 Jun 2018

Just fix the denials

anupritaisno1 picture anupritaisno1 on 15 Jun 2018

Me "just fixing the denials" helps noone but me, and others that use caddy would hid the same problem.

I believe there needs to be a bug made against the RHEL selinux-policy to fix it since caddy is diverging from the httpd_t rules.

Allowing QUIC ports makes sense for httpd_t IMO. Allowing the server to create outbound connections, although i'm not sure how the LE api and stapling works without it.

Gunni picture Gunni on 15 Jun 2018

Thanks for thinking about this -- it's probably a good idea to see if selinux will fix the policy, so I'm going to close this issue since there doesn't seem to be anything actionable for us to do with Caddy related to this.

mholt picture mholt on 15 Jun 2018

@mholt it's too much of a trouble anyway

Besides selinux is supposed to secure your system, if you go on opening every hole even if it's through a toggle or a command the results would be catastrophic

Those who use selinux should know how to deal with it

Not to mention I've never really seen a distro maintaining selinux correctly. It's always a half-done mess

anupritaisno1 picture anupritaisno1 on 15 Jun 2018

@Gunni I'm the package maintainer for the Fedora caddy packages. Any issues with those packages should be filed on https://bugzilla.redhat.com first using the caddy component, and either the Fedora or Fedora EPEL product. If it appears to be an upstream issue we can then open an issue here on GitHub as well.

@mholt Feel free to mention me on any future issues related to the RPMs so I see them sooner.

carlwgeorge picture carlwgeorge on 25 Jul 2018
2 👍2

@carlwgeorge Hey, i'm sorry, it didn't even occur to me to post it there. I'll check there now and post it there if it's not already there.

Edit: Posted https://bugzilla.redhat.com/show_bug.cgi?id=1608548

Gunni picture Gunni on 25 Jul 2018

No worries, I just don't want @mholt to get burned out on issues related to the packages that aren't really upstream issues. Selinux stuff is 100% on the distro. Right now I'm re-using the httpd types and policy, but if enough difference pop up that I can't handle with booleans then it may be worth creating a caddy policy.

carlwgeorge picture carlwgeorge on 25 Jul 2018
3 👍2

@carlwgeorge Bless you, laddie. 馃槆Thanks for taking care of that!

mholt picture mholt on 27 Jul 2018
👍1

In case anyone else runs across this and doesn't bother to open the bugzilla, this should be fixed in the caddy-0.11.0-3 package (EL7, F27, F28, F29).

carlwgeorge picture carlwgeorge on 24 Oct 2018
1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mschneider82 picture mschneider82  路  3Comments
la0wei picture la0wei  路  3Comments
billop picture billop  路  3Comments
dafanasiev picture dafanasiev  路  3Comments
lorddaedra picture lorddaedra  路  3Comments