[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/

Sun, 02 Aug 2015 12:07:24 -0700 

commit:     bf421d08e93e0e098620587655d9326d826f4a5d
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Sun Aug  2 18:05:49 2015 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Aug  2 18:05:49 2015 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=bf421d08

Salt minion requires execute rights on init to start

Without execute rights, the salt minion continuously restarts with the
following in the log:

2015-08-02 20:02:57,671 [salt.scripts     ][INFO    ][30383] Sleeping 
random_reauth_delay of 6 seconds
2015-08-02 20:03:13,558 [salt.cli.daemons ][INFO    ][30833] Setting up the 
Salt Minion "salt.internal.genfic.local"
2015-08-02 20:03:13,913 [salt.utils.process][DEBUG   ][30833] Created pidfile: 
/var/run/salt-minion.pid
2015-08-02 20:03:13,914 [salt.config      ][DEBUG   ][30833] Reading 
configuration from /etc/salt/minion
2015-08-02 20:03:13,915 [salt.config      ][DEBUG   ][30833] Including 
configuration from '/etc/salt/minion.d/_schedule.conf'
2015-08-02 20:03:13,915 [salt.config      ][DEBUG   ][30833] Reading 
configuration from /etc/salt/minion.d/_schedule.conf
2015-08-02 20:03:14,188 [salt.utils       ][TRACE   ][30833] 'init' could not 
be found in the following search path: ['/bin', '/sbin', '/bin', '/sbin', 
'/usr/bin', '/usr/sbin', '/usr/bin', '/usr/sbin', '/usr/local/bin', 
'/usr/local/sbin', '/opt/bin', '/usr/x86_64-pc-linux-gnu/gcc-bin/4.8.4']
2015-08-02 20:03:14,189 [salt.cli.daemons ][INFO    ][30833] The salt minion is 
shut down
2015-08-02 20:03:14,190 [salt.scripts     ][ERROR   ][30833] coercing to 
Unicode: need string or buffer, NoneType found
2015-08-02 20:03:14,190 [salt.scripts     ][WARNING ][30833] ** Restarting 
minion **

The denial:

type=AVC msg=audit(1438538594.186:99014): avc:  denied  { execute } for 
pid=30833 comm="salt-minion" name="init" dev="vda3" ino=2900377 
scontext=system_u:system_r:salt_minion_t:s0 
tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0

 policy/modules/contrib/salt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index ab19bf7..c00aa50 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -288,6 +288,7 @@ fstools_domtrans(salt_minion_t)
 
 getty_use_fds(salt_minion_t)
 
+init_exec(salt_minion_t)
 init_exec_rc(salt_minion_t)
 
 miscfiles_read_localization(salt_minion_t)

Reply via email to