You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
On a minion with SELinux enabled, a cmd.run execution with argument runas is going to produce an ERROR in the Salt logs and a denied message in the audit logs:
Salt logs:
2024-07-29 16:33:52,879 [salt.loaded.int.module.cmdmod:587 ][ERROR ][3389] Environment could not be retrieved for user 'nobody': stderr='su: failed to execute /bin/bash: Permission denied\n' stdout=''
These errors are produced by salt-minion service when trying to get the environment variables user targetted via runas. The way Salt is getting the complete set of environment variables for the user is causing a transition between unconfined_service_t and unconfined_t which is NOT allowed.
The actual execution of the command targetted via cmd.run is actually fine (as long as you don't rely on missing environment variables).
IMPORTANT: This error is only seen when salt-minion is a service started by systemd, as it gets unconfined_service_t context. It doesn't happen if salt-minion is executed manually or salt-call is used.
Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)
Please be as specific as possible and give set-up details.
on-prem machine
VM (KVM)
VM running on a cloud service, please be explicit and add details
container (Kubernetes, Docker, containerd, etc. please specify)
or a combination, please be explicit
jails if it is FreeBSD
classic packaging
onedir packaging
used bootstrap to install
Steps to Reproduce the behavior
Having MINION being a SELinux enabled environment, enforcing mode ON:
minion # su -c env nobody[... all expected environment variables ...]master # salt MINION cmd.run env runas=nobody[... NOT all expected environment variables ..]
An ERROR message is produced in the Salt logs and denied AVC message on /var/log/audit.log.
Expected behavior
Having MINION being a SELinux enabled environment, enforcing mode ON:
minion # su -c env nobody[... all expected environment variables ...]master # salt MINION cmd.run env runas=nobody[... all expected environment variables ...]
No denied message seen.
Versions Report
salt --versions-report
`
Salt Version:
Salt: 3006.0
Dependency Versions:
cffi: 1.13.2
cherrypy: Not Installed
contextvars: 2.4
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.10.1
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: 0.38.0
Mako: Not Installed
msgpack: 0.5.6
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 21.3
pycparser: 2.17
pycrypto: Not Installed
pycryptodome: Not Installed
pygit2: Not Installed
python-gnupg: Not Installed
PyYAML: 5.4.1
PyZMQ: 17.1.2
relenv: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.3
System Versions:
dist: sle-micro 5.5
locale: UTF-8
machine: x86_64
release: 5.14.21-150500.55.68-default
system: Linux
version: SLE Micro 5.5
``yaml
</details>
**Additional context**
Add any other context about the problem here.
The text was updated successfully, but these errors were encountered:
Description
On a minion with SELinux enabled, a
cmd.run
execution with argumentrunas
is going to produce an ERROR in the Salt logs and a denied message in the audit logs:Salt logs:
Audit logs:
These errors are produced by
salt-minion
service when trying to get the environment variables user targetted viarunas
. The way Salt is getting the complete set of environment variables for the user is causing a transition betweenunconfined_service_t
andunconfined_t
which is NOT allowed.The actual execution of the command targetted via
cmd.run
is actually fine (as long as you don't rely on missing environment variables).IMPORTANT: This error is only seen when
salt-minion
is a service started by systemd, as it getsunconfined_service_t
context. It doesn't happen ifsalt-minion
is executed manually orsalt-call
is used.Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)
Please be as specific as possible and give set-up details.
Steps to Reproduce the behavior
Having MINION being a SELinux enabled environment, enforcing mode ON:
An ERROR message is produced in the Salt logs and denied AVC message on
/var/log/audit.log
.Expected behavior
Having MINION being a SELinux enabled environment, enforcing mode ON:
No denied message seen.
Versions Report
salt --versions-report
` Salt Version: Salt: 3006.0Python Version:
Python: 3.6.15 (default, Sep 23 2021, 15:41:43) [GCC]
Dependency Versions:
cffi: 1.13.2
cherrypy: Not Installed
contextvars: 2.4
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.10.1
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: 0.38.0
Mako: Not Installed
msgpack: 0.5.6
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 21.3
pycparser: 2.17
pycrypto: Not Installed
pycryptodome: Not Installed
pygit2: Not Installed
python-gnupg: Not Installed
PyYAML: 5.4.1
PyZMQ: 17.1.2
relenv: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.3
System Versions:
dist: sle-micro 5.5
locale: UTF-8
machine: x86_64
release: 5.14.21-150500.55.68-default
system: Linux
version: SLE Micro 5.5
``yaml
The text was updated successfully, but these errors were encountered: