commit: 476723f5d02b3222109358f99c9d76ede915e71b
Author: Sven Vermeulen <swift <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 22 12:28:43 2015 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Mon Nov 23 13:40:51 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=476723f5
Use fowner for salt_minion_t
Enable the fowner capability for the salt minion so that directory
metadata can be updated (such as the mode).
For instance, when trying to set mode 755 on a directory, the following
came up in the salt minion log (and the operation failed):
2015-11-22 13:18:01,242 [salt.state ][ERROR ][3290] Failed to
change mode to 0775
In the audit logs, the following occurred:
type=AVC msg=audit(1448194681.239:118): avc: denied { fowner } for
pid=3290 comm="salt-minion" capability=3
scontext=system_u:system_r:salt_minion_t:s0
tcontext=system_u:system_r:salt_minion_t:s0 tclass=capability
permissive=0
policy/modules/contrib/salt.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te
index 2a4e84d..9a8a4ad 100644
--- a/policy/modules/contrib/salt.te
+++ b/policy/modules/contrib/salt.te
@@ -218,7 +218,7 @@ tunable_policy(`salt_master_read_nfs',`
# salt_minion_t policy
#
-allow salt_minion_t self:capability { fsetid chown dac_override
dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
+allow salt_minion_t self:capability { fowner fsetid chown dac_override
dac_read_search net_admin setgid setuid sys_admin sys_nice sys_tty_config };
allow salt_minion_t self:capability2 block_suspend;
allow salt_minion_t self:process { getsched setsched signal signull };
allow salt_minion_t self:tcp_socket create_stream_socket_perms;
