Trying to start salt-2015.8.0 on an SELinux-enabled system fails with the following error: 2015-09-12 21:03:12,491 [salt.master ][ERROR ][8536] Cannot change to home directory /root ([Errno 13] Permission denied: '/root') 2015-09-12 21:03:12,491 [salt.master ][CRITICAL][8536] Master failed pre flight checks, exiting In the audit logs, if dontaudit rules are disabled, the following is logged: type=AVC msg=audit(1442085062.483:130): avc: denied { search } for pid=8837 comm="salt-master" name="root" dev="vda3" ino=393217 scontext=system_u:system_r:salt_master_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1442085062.831:131): arch=c000003e syscall=80 success=no exit=-13 a0=4ffc0494e0 a1=1 a2=0 a3=0 items=1 ppid=1 pid=8837 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="salt-master" exe="/usr/bin/python2.7" subj=system_u:system_r:salt_master_t:s0 key=(null) type=AVC msg=audit(1442085062.831:131): avc: denied { search } for pid=8837 comm="salt-master" name="root" dev="vda3" ino=393217 scontext=system_u:system_r:salt_master_t:s0 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0 A workaround is to allow this policy-wise, but this is not recommended as salt_master_t has no business in user home directories. userdom_search_user_home_dirs(salt_master_t) A better fix would be to update salt so that it uses a salt-related "current working directory", or just /. Reproducible: Always
Created attachment 411736 [details] patch to salt to make the master chdir('/') I will upstream this too
https://github.com/saltstack/salt/pull/27091 https://github.com/saltstack/salt/pull/27092 I submitted two pull requests. one for the develop branch and the other for the stable 2015.8 branch.
@chutzpah, Looks like both of these have been merged. Should we revbump this in the tree? I can do it if you want.
salt-2015.8.2 is now in the tree with this fix