1 |
commit: 476723f5d02b3222109358f99c9d76ede915e71b |
2 |
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
3 |
AuthorDate: Sun Nov 22 12:28:43 2015 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Nov 23 13:40:51 2015 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5 |
7 |
|
8 |
Use fowner for salt_minion_t |
9 |
|
10 |
Enable the fowner capability for the salt minion so that directory |
11 |
metadata can be updated (such as the mode). |
12 |
|
13 |
For instance, when trying to set mode 755 on a directory, the following |
14 |
came up in the salt minion log (and the operation failed): |
15 |
|
16 |
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to |
17 |
change mode to 0775 |
18 |
|
19 |
In the audit logs, the following occurred: |
20 |
|
21 |
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for |
22 |
pid=3290 comm="salt-minion" capability=3 |
23 |
scontext=system_u:system_r:salt_minion_t:s0 |
24 |
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability |
25 |
permissive=0 |
26 |
|
27 |
policy/modules/contrib/salt.te | 2 +- |
28 |
1 file changed, 1 insertion(+), 1 deletion(-) |
29 |
|
30 |
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te |
31 |
index 2a4e84d..9a8a4ad 100644 |
32 |
--- a/policy/modules/contrib/salt.te |
33 |
+++ b/policy/modules/contrib/salt.te |
34 |
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',` |
35 |
# salt_minion_t policy |
36 |
# |
37 |
|
38 |
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config }; |
39 |
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config }; |
40 |
allow salt_minion_t self:capability2 block_suspend; |
41 |
allow salt_minion_t self:process { getsched setsched signal signull }; |
42 |
allow salt_minion_t self:tcp_socket create_stream_socket_perms; |