salt
salt copied to clipboard
saltstack
[BUG] Triggering "cmd.run" with "runas" on SELinux enabled minion produces ERROR and denied message
Description
On a minion with SELinux enabled, a cmd.run execution with argument runas is going to produce an ERROR in the Salt logs and a denied message in the audit logs:
Salt logs:
2024-07-29 16:33:52,879 [salt.loaded.int.module.cmdmod:587 ][ERROR ][3389] Environment could not be retrieved for user 'nobody': stderr='su: failed to execute /bin/bash: Permission denied\n' stdout=''
Audit logs:
type=AVC msg=audit(1722874387.581:120): avc: denied { transition } for pid=3219 comm="su" path="/usr/bin/bash" dev="vda3" ino=8730 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
These errors are produced by salt-minion service when trying to get the environment variables user targetted via runas. The way Salt is getting the complete set of environment variables for the user is causing a transition between unconfined_service_t and unconfined_t which is NOT allowed.
The actual execution of the command targetted via cmd.run is actually fine (as long as you don't rely on missing environment variables).
IMPORTANT: This error is only seen when salt-minion is a service started by systemd, as it gets unconfined_service_t context. It doesn't happen if salt-minion is executed manually or salt-call is used.
Setup (Please provide relevant configs and/or SLS files (be sure to remove sensitive info. There is no general set-up of Salt.)
Please be as specific as possible and give set-up details.
- [x] on-prem machine
- [x] VM (KVM)
- [ ] VM running on a cloud service, please be explicit and add details
- [ ] container (Kubernetes, Docker, containerd, etc. please specify)
- [ ] or a combination, please be explicit
- [ ] jails if it is FreeBSD
- [x] classic packaging
- [ ] onedir packaging
- [ ] used bootstrap to install
Steps to Reproduce the behavior
Having MINION being a SELinux enabled environment, enforcing mode ON:
minion # su -c env nobody
[... all expected environment variables ...]
master # salt MINION cmd.run env runas=nobody
[... NOT all expected environment variables ..]
An ERROR message is produced in the Salt logs and denied AVC message on /var/log/audit.log.
Expected behavior
Having MINION being a SELinux enabled environment, enforcing mode ON:
minion # su -c env nobody
[... all expected environment variables ...]
master # salt MINION cmd.run env runas=nobody
[... all expected environment variables ...]
No denied message seen.
Versions Report
salt --versions-report
` Salt Version: Salt: 3006.0Python Version: Python: 3.6.15 (default, Sep 23 2021, 15:41:43) [GCC]
Dependency Versions: cffi: 1.13.2 cherrypy: Not Installed contextvars: 2.4 dateutil: Not Installed docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 2.10.1 libgit2: Not Installed looseversion: 1.0.2 M2Crypto: 0.38.0 Mako: Not Installed msgpack: 0.5.6 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 21.3 pycparser: 2.17 pycrypto: Not Installed pycryptodome: Not Installed pygit2: Not Installed python-gnupg: Not Installed PyYAML: 5.4.1 PyZMQ: 17.1.2 relenv: Not Installed smmap: Not Installed timelib: Not Installed Tornado: 4.5.3 ZMQ: 4.2.3
System Versions: dist: sle-micro 5.5 locale: UTF-8 machine: x86_64 release: 5.14.21-150500.55.68-default system: Linux version: SLE Micro 5.5 ``yaml
</details>
**Additional context**
Add any other context about the problem here.
