* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-23 13:42 99% Jason Zaman
0 siblings, 0 replies; 1+ results
From: Jason Zaman @ 2015-11-23 13:42 UTC (permalink / raw
To: gentoo-commits
commit: 476723f5d02b3222109358f99c9d76ede915e71b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
^ permalink raw reply related [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2015-11-23 13:42 99% [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox