Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Triggering "cmd.run" with "runas" on SELinux enabled minion produces ERROR and denied message #66779

Open
3 of 9 tasks
meaksh opened this issue Aug 6, 2024 · 0 comments · May be fixed by #66780
Open
3 of 9 tasks

[BUG] Triggering "cmd.run" with "runas" on SELinux enabled minion produces ERROR and denied message #66779

meaksh opened this issue Aug 6, 2024 · 0 comments · May be fixed by #66780
Labels
Bug broken, incorrect, or confusing behavior needs-triage

Comments

@meaksh
Copy link
Contributor

meaksh commented Aug 6, 2024
edited
Loading

Description
On a minion with SELinux enabled, a cmd.run execution with argument runas is going to produce an ERROR in the Salt logs and a denied message in the audit logs:

Salt logs:

2024-07-29 16:33:52,879 [salt.loaded.int.module.cmdmod:587 ][ERROR   ][3389] Environment could not be retrieved for user 'nobody': stderr='su: failed to execute /bin/bash: Permission denied\n' stdout=''

Audit logs:

type=AVC msg=audit(1722874387.581:120): avc:  denied  { transition } for  pid=3219 comm="su" path="/usr/bin/bash" dev="vda3" ino=8730 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

These errors are produced by salt-minion service when trying to get the environment variables user targetted via runas. The way Salt is getting the complete set of environment variables for the user is causing a transition between unconfined_service_t and unconfined_t which is NOT allowed.

The actual execution of the command targetted via cmd.run is actually fine (as long as you don't rely on missing environment variables).

IMPORTANT: This error is only seen when salt-minion is a service started by systemd, as it gets unconfined_service_t context. It doesn't happen if salt-minion is executed manually or salt-call is used.

Setup
(Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)

Please be as specific as possible and give set-up details.

  • on-prem machine
  • VM (KVM)
  • VM running on a cloud service, please be explicit and add details
  • container (Kubernetes, Docker, containerd, etc. please specify)
  • or a combination, please be explicit
  • jails if it is FreeBSD
  • classic packaging
  • onedir packaging
  • used bootstrap to install

Steps to Reproduce the behavior

Having MINION being a SELinux enabled environment, enforcing mode ON:

minion # su -c env nobody
[... all expected environment variables ...]

master # salt MINION cmd.run env runas=nobody
[... NOT all expected environment variables ..]

An ERROR message is produced in the Salt logs and denied AVC message on /var/log/audit.log.

Expected behavior

Having MINION being a SELinux enabled environment, enforcing mode ON:

minion # su -c env nobody
[... all expected environment variables ...]

master # salt MINION cmd.run env runas=nobody
[... all expected environment variables ...]

No denied message seen.

Versions Report

salt --versions-report ` Salt Version: Salt: 3006.0

Python Version:
Python: 3.6.15 (default, Sep 23 2021, 15:41:43) [GCC]

Dependency Versions:
cffi: 1.13.2
cherrypy: Not Installed
contextvars: 2.4
dateutil: Not Installed
docker-py: Not Installed
gitdb: Not Installed
gitpython: Not Installed
Jinja2: 2.10.1
libgit2: Not Installed
looseversion: 1.0.2
M2Crypto: 0.38.0
Mako: Not Installed
msgpack: 0.5.6
msgpack-pure: Not Installed
mysql-python: Not Installed
packaging: 21.3
pycparser: 2.17
pycrypto: Not Installed
pycryptodome: Not Installed
pygit2: Not Installed
python-gnupg: Not Installed
PyYAML: 5.4.1
PyZMQ: 17.1.2
relenv: Not Installed
smmap: Not Installed
timelib: Not Installed
Tornado: 4.5.3
ZMQ: 4.2.3

System Versions:
dist: sle-micro 5.5
locale: UTF-8
machine: x86_64
release: 5.14.21-150500.55.68-default
system: Linux
version: SLE Micro 5.5
``yaml

</details>

**Additional context**
Add any other context about the problem here.
@meaksh meaksh added Bug broken, incorrect, or confusing behavior needs-triage labels Aug 6, 2024
@meaksh meaksh linked a pull request Aug 6, 2024 that will close this issue
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior needs-triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[master] Fix the SELinux context for Salt Minion service meaksh/salt
1 participant
@meaksh