public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
Search results ordered by [date|relevance]  view[summary|nested|Atom feed]
thread overview below | download mbox.gz: |
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
@ 2015-11-23 13:42 99% Jason Zaman
  0 siblings, 0 replies; 1+ results
From: Jason Zaman @ 2015-11-23 13:42 UTC (permalink / raw
  To: gentoo-commits

commit:     476723f5d02b3222109358f99c9d76ede915e71b
Author:     Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5

Use fowner for salt_minion_t

Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).

For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):

  2015-11-22 13:18:01,242 [salt.state       ][ERROR   ][3290] Failed to
  change mode to 0775

In the audit logs, the following occurred:

  type=AVC msg=audit(1448194681.239:118): avc:  denied  { fowner } for
  pid=3290 comm="salt-minion" capability=3
  scontext=system_u:system_r:salt_minion_t:s0
  tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
  permissive=0

 policy/modules/contrib/salt.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
 # salt_minion_t policy
 #
 
-allow salt_minion_t self:capability { fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
 allow salt_minion_t self:capability2 block_suspend;
 allow salt_minion_t self:process { getsched setsched signal signull };
 allow salt_minion_t self:tcp_socket create_stream_socket_perms;


^ permalink raw reply related	[relevance 99%]

Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2015-11-23 13:42 99% [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox