[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

Sun, 02 Aug 2015 12:07:18 -0700 

commit:     e37615c40f756dcaf85c7d5f2d1bd904f898f721
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug  2 19:01:11 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 19:01:11 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e37615c4

A whole slew before master is started correctly

Without these changes, subprocesses of the salt master keep
crashing/exiting without any sign. Although the denials are extremely
frequent (as the main salt master restarts those processes over and over
again) there is no information in the salt logs that points to anything.

After allowing these operations (which is mainly reading information)
the salt master starts fine.

 policy/modules/contrib/salt.te | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index c00aa50..0f3dba4 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -99,7 +99,7 @@ files_pid_file(salt_var_run_t)
 # salt_master_t policy
 #
 
-allow salt_master_t self:capability { net_admin sys_admin sys_tty_config };
+allow salt_master_t self:capability { net_admin sys_admin sys_nice 
sys_tty_config };
 allow salt_master_t self:capability2 block_suspend;
 allow salt_master_t self:process { getsched setsched signal };
 allow salt_master_t self:tcp_socket create_stream_socket_perms;
@@ -167,6 +167,7 @@ files_pid_filetrans(salt_master_t, salt_var_run_t, dir)
 files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, 
"salt-master.pid")
 
 kernel_read_network_state(salt_master_t)
+kernel_read_software_raid_state(salt_master_t)
 kernel_read_system_state(salt_master_t)
 
 corecmd_exec_bin(salt_master_t)
@@ -189,7 +190,16 @@ fs_getattr_tmpfs(salt_master_t)
 
 getty_use_fds(salt_master_t)
 
+init_exec(salt_master_t)
+init_read_state(salt_master_t)
+
+libs_exec_ldconfig(salt_master_t)
+
 miscfiles_read_localization(salt_master_t)
+miscfiles_read_generic_certs(salt_master_t)
+
+selinux_get_enforce_mode(salt_master_t)
+selinux_getattr_fs(salt_master_t)
 
 sysnet_exec_ifconfig(salt_master_t)
 sysnet_read_config(salt_master_t)

Reply via email to