549004 – app-admin/salt-2015.5.0 salt_master_t requires /dev/shm access

Bug 549004 - app-admin/salt-2015.5.0 salt_master_t requires /dev/shm access

Summary: app-admin/salt-2015.5.0 salt_master_t requires /dev/shm access

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	SELinux (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Sven Vermeulen (RETIRED)

URL:
Whiteboard:	sec-policy r6
Keywords:

Depends on:
Blocks:

Reported:	2015-05-09 12:20 UTC by Sven Vermeulen (RETIRED)
Modified:	2015-07-03 16:19 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sven Vermeulen (RETIRED) gentoo-dev

2015-05-09 12:20:32 UTC

The salt master daemon requires /dev/shm access for creating and managing semaphores.

Traceback (most recent call last):
  File "/usr/lib/python-exec/python2.7/salt-master", line 10, in <module>
    salt_master()
  File "/usr/lib64/python2.7/site-packages/salt/scripts.py", line 50, in salt_master
    master.start()
  File "/usr/lib64/python2.7/site-packages/salt/cli/daemons.py", line 149, in start
    self.prepare()
  File "/usr/lib64/python2.7/site-packages/salt/cli/daemons.py", line 130, in prepare
    self.master = salt.master.Master(self.config)
  File "/usr/lib64/python2.7/site-packages/salt/master.py", line 304, in __init__
    SMaster.__init__(self, opts)
  File "/usr/lib64/python2.7/site-packages/salt/master.py", line 89, in __init__
    SMaster.aes = multiprocessing.Array(ctypes.c_char, salt.crypt.Crypticle.generate_key_string())
  File "/usr/lib64/python2.7/multiprocessing/__init__.py", line 260, in Array
    return Array(typecode_or_type, size_or_initializer, **kwds)
  File "/usr/lib64/python2.7/multiprocessing/sharedctypes.py", line 119, in Array
    lock = RLock()
  File "/usr/lib64/python2.7/multiprocessing/__init__.py", line 183, in RLock
    return RLock()
  File "/usr/lib64/python2.7/multiprocessing/synchronize.py", line 172, in __init__
    SemLock.__init__(self, RECURSIVE_MUTEX, 1, 1)
  File "/usr/lib64/python2.7/multiprocessing/synchronize.py", line 75, in __init__
    sl = self._semlock = _multiprocessing.SemLock(kind, value, maxvalue)
OSError: [Errno 13] Permission denie

type=AVC msg=audit(1431173657.132:221): avc:  denied  { getattr } for  pid=2488 comm="salt-master" name="/" dev="tmpfs" ino=1322 scontext=system_u:system_r:salt_master_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
type=AVC msg=audit(1431173769.340:227): avc:  denied  { create } for  pid=2616 comm="salt-master" name="sem.HES7e4" scontext=system_u:system_r:salt_master_t:s0 tcontext=system_u:object_r:salt_master_tmpfs_t:s0 tclass=file permissive=0

Creating a salt_master_tmpfs_t with the proper filetrans should do it.

Reproducible: Always

Comment 1 Sven Vermeulen (RETIRED) gentoo-dev

2015-05-09 12:24:57 UTC

Fixed in repo, will be part of r6

Comment 2 Jason Zaman gentoo-dev

2015-06-05 16:24:42 UTC

r6 policy is in ~arch

Comment 3 Sven Vermeulen (RETIRED) gentoo-dev

2015-07-03 16:19:13 UTC

Now stable