From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 0430F1395E1 for ; Sun, 2 Aug 2015 19:06:55 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id F1EB51403B; Sun, 2 Aug 2015 19:06:38 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D84F21401B for ; Sun, 2 Aug 2015 19:06:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 12DE0340771 for ; Sun, 2 Aug 2015 19:06:37 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D28D5129 for ; Sun, 2 Aug 2015 19:06:33 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1438542071.e37615c40f756dcaf85c7d5f2d1bd904f898f721.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/salt.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: e37615c40f756dcaf85c7d5f2d1bd904f898f721 X-VCS-Branch: next Date: Sun, 2 Aug 2015 19:06:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: de5301d7-1987-41e9-aa6f-1fa63ca3df83 X-Archives-Hash: 6c69740d9190ac30e4c09e2ed1a38acd commit: e37615c40f756dcaf85c7d5f2d1bd904f898f721 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 2 19:01:11 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Aug 2 19:01:11 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e37615c4 A whole slew before master is started correctly Without these changes, subprocesses of the salt master keep crashing/exiting without any sign. Although the denials are extremely frequent (as the main salt master restarts those processes over and over again) there is no information in the salt logs that points to anything. After allowing these operations (which is mainly reading information) the salt master starts fine. policy/modules/contrib/salt.te | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te index c00aa50..0f3dba4 100644 --- a/policy/modules/contrib/salt.te +++ b/policy/modules/contrib/salt.te @@ -99,7 +99,7 @@ files_pid_file(salt_var_run_t) # salt_master_t policy # -allow salt_master_t self:capability { net_admin sys_admin sys_tty_config }; +allow salt_master_t self:capability { net_admin sys_admin sys_nice sys_tty_config }; allow salt_master_t self:capability2 block_suspend; allow salt_master_t self:process { getsched setsched signal }; allow salt_master_t self:tcp_socket create_stream_socket_perms; @@ -167,6 +167,7 @@ files_pid_filetrans(salt_master_t, salt_var_run_t, dir) files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid") kernel_read_network_state(salt_master_t) +kernel_read_software_raid_state(salt_master_t) kernel_read_system_state(salt_master_t) corecmd_exec_bin(salt_master_t) @@ -189,7 +190,16 @@ fs_getattr_tmpfs(salt_master_t) getty_use_fds(salt_master_t) +init_exec(salt_master_t) +init_read_state(salt_master_t) + +libs_exec_ldconfig(salt_master_t) + miscfiles_read_localization(salt_master_t) +miscfiles_read_generic_certs(salt_master_t) + +selinux_get_enforce_mode(salt_master_t) +selinux_getattr_fs(salt_master_t) sysnet_exec_ifconfig(salt_master_t) sysnet_read_config(salt_master_t)