Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <swift@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:swift commit in: policy/modules/contrib/
Date: Wed, 02 Dec 2015 15:45:53
Message-Id: 1448286051.476723f5d02b3222109358f99c9d76ede915e71b.swift@gentoo
1 commit: 476723f5d02b3222109358f99c9d76ede915e71b
2 Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
3 AuthorDate: Sun Nov 22 12:28:43 2015 +0000
4 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
5 CommitDate: Mon Nov 23 13:40:51 2015 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
7
8 Use fowner for salt_minion_t
9
10 Enable the fowner capability for the salt minion so that directory
11 metadata can be updated (such as the mode).
12
13 For instance, when trying to set mode 755 on a directory, the following
14 came up in the salt minion log (and the operation failed):
15
16 2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
17 change mode to 0775
18
19 In the audit logs, the following occurred:
20
21 type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
22 pid=3290 comm="salt-minion" capability=3
23 scontext=system_u:system_r:salt_minion_t:s0
24 tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
25 permissive=0
26
27 policy/modules/contrib/salt.te | 2 +-
28 1 file changed, 1 insertion(+), 1 deletion(-)
29
30 diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
31 index 2a4e84d..9a8a4ad 100644
32 --- a/policy/modules/contrib/salt.te
33 +++ b/policy/modules/contrib/salt.te
34 @@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
35 # salt_minion_t policy
36 #
37
38 -allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
39 +allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
40 allow salt_minion_t self:capability2 block_suspend;
41 allow salt_minion_t self:process { getsched setsched signal signull };
42 allow salt_minion_t self:tcp_socket create_stream_socket_perms;
Report Message
Find on MARC Find on Google Groups