Bug 958028
Summary: | salt SELinux issues (daemons run as initrc_t) | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Florian La Roche <florian.laroche> | ||||
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | ||||
Status: | CLOSED WONTFIX | QA Contact: | BaseOS QE Security Team <qe-baseos-security> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 6.4 | CC: | dwalsh, herlo1, mgrepl, mmalik, racooper, ssekidde | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2015-02-25 10:53:24 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 832330 | ||||||
Attachments: |
|
Description
Florian La Roche
2013-04-30 08:01:16 UTC
There are 2 problems: * leaked file descriptors (type=1400 messages) * salt-master does not have a SELinux domain (the output of ps) Created attachment 745240 [details]
salt-master policy package
Please remove the mysalt module and load the attached policy package into the kernel by running
semodule -r mysalt && semodule -B && semodule -i saltmaster.pp
And provided any updated AVC's
Did anyone ever try this out? Do we ship salt in Fedora? salt* packages are available in EPEL repos for RHEL-5 and RHEL-6. Testing with the saltmaster.pp attached to this ticket I still receive the following errors when starting salt_master: type=AVC msg=audit(1372699281.483:68818): avc: denied { read write } for pid=11102 comm="ip" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file type=AVC msg=audit(1372699281.483:68818): avc: denied { read write } for pid=11102 comm="ip" path="anon_inode:[eventfd]" dev=anon_inodefs ino=3672 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file This probably means salt is leaking file desctriptor to anon_inodefs when it executes the ip command. If we ship salt, we should open a bugzilla on this. Moving it to RHEL6.6. This is EPEL. I believe we can go with initrc_t in RHEL6 for salt and see to get fixes in RHEL7. |