From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 26ACA1395E1 for ; Sun, 2 Aug 2015 19:02:44 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 8230BE081C; Sun, 2 Aug 2015 19:02:43 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 3721BE081C for ; Sun, 2 Aug 2015 19:02:43 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 60E05340687 for ; Sun, 2 Aug 2015 19:02:42 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C4E68129 for ; Sun, 2 Aug 2015 19:02:39 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1438542071.e37615c40f756dcaf85c7d5f2d1bd904f898f721.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/salt.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: e37615c40f756dcaf85c7d5f2d1bd904f898f721 X-VCS-Branch: master Date: Sun, 2 Aug 2015 19:02:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: a949a7a8-7e48-4dc2-8069-32a1deffc6a1 X-Archives-Hash: 38fc2fe260c5cdb595664128f6c7135f commit: e37615c40f756dcaf85c7d5f2d1bd904f898f721 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 2 19:01:11 2015 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Aug 2 19:01:11 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e37615c4 A whole slew before master is started correctly Without these changes, subprocesses of the salt master keep crashing/exiting without any sign. Although the denials are extremely frequent (as the main salt master restarts those processes over and over again) there is no information in the salt logs that points to anything. After allowing these operations (which is mainly reading information) the salt master starts fine. policy/modules/contrib/salt.te | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/policy/modules/contrib/salt.te b/policy/modules/contrib/salt.te index c00aa50..0f3dba4 100644 --- a/policy/modules/contrib/salt.te +++ b/policy/modules/contrib/salt.te @@ -99,7 +99,7 @@ files_pid_file(salt_var_run_t) # salt_master_t policy # -allow salt_master_t self:capability { net_admin sys_admin sys_tty_config }; +allow salt_master_t self:capability { net_admin sys_admin sys_nice sys_tty_config }; allow salt_master_t self:capability2 block_suspend; allow salt_master_t self:process { getsched setsched signal }; allow salt_master_t self:tcp_socket create_stream_socket_perms; @@ -167,6 +167,7 @@ files_pid_filetrans(salt_master_t, salt_var_run_t, dir) files_pid_filetrans(salt_master_t, salt_master_var_run_t, file, "salt-master.pid") kernel_read_network_state(salt_master_t) +kernel_read_software_raid_state(salt_master_t) kernel_read_system_state(salt_master_t) corecmd_exec_bin(salt_master_t) @@ -189,7 +190,16 @@ fs_getattr_tmpfs(salt_master_t) getty_use_fds(salt_master_t) +init_exec(salt_master_t) +init_read_state(salt_master_t) + +libs_exec_ldconfig(salt_master_t) + miscfiles_read_localization(salt_master_t) +miscfiles_read_generic_certs(salt_master_t) + +selinux_get_enforce_mode(salt_master_t) +selinux_getattr_fs(salt_master_t) sysnet_exec_ifconfig(salt_master_t) sysnet_read_config(salt_master_t)