rpm/salt
SHA256
1
0
Fork 0
forked from pool/salt
Code Pull Requests Activity

Accepting request 1199887 from systemsmanagement:saltstack

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/1199887
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/salt?expand=0&rev=159
This commit is contained in:
Ana Guerrero 2024-09-10 19:12:56 +00:00 committed by Git OBS Bridge
commit 19526c11e7
4 changed files with 94 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
_lastrevision
View File

@ -1 +1 @@
b3caa0c982743b8a164bb7f2d3b9d6a33593e515 89746605096ae1794506d9e1710e82f9efca83ba

83
fix-the-selinux-context-for-salt-minion-service-bsc-.patch Normal file
View File

@ -0,0 +1,83 @@
From d933c8f0795fdada84a01a2cc754586fa720993d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?=
<psuarezhernandez@suse.com>
Date: Tue, 10 Sep 2024 13:46:09 +0100
Subject: [PATCH] Fix the SELinux context for Salt Minion service
(bsc#1219041) (#670)
Currently there are no SELinux policies for Salt.
By default, the Salt Minion service runs as 'unconfined_service_t' when
SELinux is enabled. This works fine in most cases but generates a problem
then trying to transition to an 'unconfined_t', i.a. when running
"cmd.run .... runas=nobody". Then we see this denied in audit logs:
type=AVC msg=audit(1722870119.142:718): avc: denied { transition } for pid=3421 comm="su" path="/usr/bin/bash" dev="vda3" ino=28565 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
(This happens for cmd.run at the time of trying to invoke a shell as a
different user to gather the environment variables from this particular
user)
Fixing the SELinuxContext for the Salt Minion systemd service to a
general 'unconfined_t' workarounds this situation.
SELinuxContext attribute was added on systemd version 209.
---
pkg/common/salt-minion.service | 1 +
pkg/old/deb/salt-minion.service | 1 +
pkg/old/suse/salt-minion.service | 1 +
pkg/old/suse/salt-minion.service.rhel7 | 1 +
4 files changed, 4 insertions(+)
diff --git a/pkg/common/salt-minion.service b/pkg/common/salt-minion.service
index 69aff18c583..696d0263c39 100644
--- a/pkg/common/salt-minion.service
+++ b/pkg/common/salt-minion.service
@@ -9,6 +9,7 @@ Type=notify
NotifyAccess=all
LimitNOFILE=8192
ExecStart=/usr/bin/salt-minion
+SELinuxContext=system_u:system_r:unconfined_t:s0
[Install]
WantedBy=multi-user.target
diff --git a/pkg/old/deb/salt-minion.service b/pkg/old/deb/salt-minion.service
index 7e6cf146549..b0ad82c1334 100644
--- a/pkg/old/deb/salt-minion.service
+++ b/pkg/old/deb/salt-minion.service
@@ -8,6 +8,7 @@ KillMode=process
NotifyAccess=all
LimitNOFILE=8192
ExecStart=/usr/bin/salt-minion
+SELinuxContext=system_u:system_r:unconfined_t:s0
[Install]
WantedBy=multi-user.target
diff --git a/pkg/old/suse/salt-minion.service b/pkg/old/suse/salt-minion.service
index 12f28314cb1..b99ef063522 100644
--- a/pkg/old/suse/salt-minion.service
+++ b/pkg/old/suse/salt-minion.service
@@ -10,6 +10,7 @@ ExecStart=/usr/bin/salt-minion
KillMode=process
Restart=on-failure
RestartSec=15
+SELinuxContext=system_u:system_r:unconfined_t:s0
[Install]
WantedBy=multi-user.target
diff --git a/pkg/old/suse/salt-minion.service.rhel7 b/pkg/old/suse/salt-minion.service.rhel7
index 69172677140..92cc66d32f4 100644
--- a/pkg/old/suse/salt-minion.service.rhel7
+++ b/pkg/old/suse/salt-minion.service.rhel7
@@ -9,6 +9,7 @@ ExecStart=/usr/bin/salt-minion
KillMode=process
Restart=on-failure
RestartSec=15
+SELinuxContext=system_u:system_r:unconfined_t:s0
[Install]
WantedBy=multi-user.target
--
2.46.0

8
salt.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Tue Sep 10 12:51:43 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>
- Fix the SELinux context for Salt Minion service (bsc#1219041)
- Added:
* fix-the-selinux-context-for-salt-minion-service-bsc-.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Wed Sep 4 12:23:53 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com> Wed Sep 4 12:23:53 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernandez@suse.com>

2
salt.spec
View File

@ -434,6 +434,8 @@ Patch134: fix-test_system-flaky-setup_teardown-fn.patch
Patch135: fix-test_debian-to-work-in-our-infrastructure-676.patch Patch135: fix-test_debian-to-work-in-our-infrastructure-676.patch
# PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/677 # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/677
Patch136: fix-deprecated-code-677.patch Patch136: fix-deprecated-code-677.patch
# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/66780
Patch137: fix-the-selinux-context-for-salt-minion-service-bsc-.patch
### IMPORTANT: The line below is used as a snippet marker. Do not touch it. ### IMPORTANT: The line below is used as a snippet marker. Do not touch it.
### SALT PATCHES LIST END ### SALT PATCHES LIST END