Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package salt for openSUSE:Factory checked in at 2024-09-10 21:12:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/salt (Old) and /work/SRC/openSUSE:Factory/.salt.new.17570 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "salt" Tue Sep 10 21:12:56 2024 rev:159 rq:1199887 version:3006.0 Changes: -------- --- /work/SRC/openSUSE:Factory/salt/salt.changes 2024-09-05 15:46:43.446917383 +0200 +++ /work/SRC/openSUSE:Factory/.salt.new.17570/salt.changes 2024-09-10 21:13:57.467848576 +0200 @@ -1,0 +2,8 @@ +Tue Sep 10 12:51:43 UTC 2024 - Pablo Suárez Hernández <pablo.suarezhernan...@suse.com> + +- Fix the SELinux context for Salt Minion service (bsc#1219041) + +- Added: + * fix-the-selinux-context-for-salt-minion-service-bsc-.patch + +------------------------------------------------------------------- New: ---- fix-the-selinux-context-for-salt-minion-service-bsc-.patch BETA DEBUG BEGIN: New:- Added: * fix-the-selinux-context-for-salt-minion-service-bsc-.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ salt.spec ++++++ --- /var/tmp/diff_new_pack.1weyRo/_old 2024-09-10 21:14:00.399970740 +0200 +++ /var/tmp/diff_new_pack.1weyRo/_new 2024-09-10 21:14:00.403970908 +0200 @@ -434,6 +434,8 @@ Patch135: fix-test_debian-to-work-in-our-infrastructure-676.patch # PATCH-FIX_OPENSUSE: https://github.com/openSUSE/salt/pull/677 Patch136: fix-deprecated-code-677.patch +# PATCH-FIX_UPSTREAM: https://github.com/saltstack/salt/pull/66780 +Patch137: fix-the-selinux-context-for-salt-minion-service-bsc-.patch ### IMPORTANT: The line below is used as a snippet marker. Do not touch it. ### SALT PATCHES LIST END ++++++ _lastrevision ++++++ --- /var/tmp/diff_new_pack.1weyRo/_old 2024-09-10 21:14:00.495974741 +0200 +++ /var/tmp/diff_new_pack.1weyRo/_new 2024-09-10 21:14:00.499974907 +0200 @@ -1,3 +1,3 @@ -b3caa0c982743b8a164bb7f2d3b9d6a33593e515 +89746605096ae1794506d9e1710e82f9efca83ba (No newline at EOF) ++++++ fix-the-selinux-context-for-salt-minion-service-bsc-.patch ++++++ >From d933c8f0795fdada84a01a2cc754586fa720993d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pablo=20Su=C3=A1rez=20Hern=C3=A1ndez?= <psuarezhernan...@suse.com> Date: Tue, 10 Sep 2024 13:46:09 +0100 Subject: [PATCH] Fix the SELinux context for Salt Minion service (bsc#1219041) (#670) Currently there are no SELinux policies for Salt. By default, the Salt Minion service runs as 'unconfined_service_t' when SELinux is enabled. This works fine in most cases but generates a problem then trying to transition to an 'unconfined_t', i.a. when running "cmd.run .... runas=nobody". Then we see this denied in audit logs: type=AVC msg=audit(1722870119.142:718): avc: denied { transition } for pid=3421 comm="su" path="/usr/bin/bash" dev="vda3" ino=28565 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0 (This happens for cmd.run at the time of trying to invoke a shell as a different user to gather the environment variables from this particular user) Fixing the SELinuxContext for the Salt Minion systemd service to a general 'unconfined_t' workarounds this situation. SELinuxContext attribute was added on systemd version 209. --- pkg/common/salt-minion.service | 1 + pkg/old/deb/salt-minion.service | 1 + pkg/old/suse/salt-minion.service | 1 + pkg/old/suse/salt-minion.service.rhel7 | 1 + 4 files changed, 4 insertions(+) diff --git a/pkg/common/salt-minion.service b/pkg/common/salt-minion.service index 69aff18c583..696d0263c39 100644 --- a/pkg/common/salt-minion.service +++ b/pkg/common/salt-minion.service @@ -9,6 +9,7 @@ Type=notify NotifyAccess=all LimitNOFILE=8192 ExecStart=/usr/bin/salt-minion +SELinuxContext=system_u:system_r:unconfined_t:s0 [Install] WantedBy=multi-user.target diff --git a/pkg/old/deb/salt-minion.service b/pkg/old/deb/salt-minion.service index 7e6cf146549..b0ad82c1334 100644 --- a/pkg/old/deb/salt-minion.service +++ b/pkg/old/deb/salt-minion.service @@ -8,6 +8,7 @@ KillMode=process NotifyAccess=all LimitNOFILE=8192 ExecStart=/usr/bin/salt-minion +SELinuxContext=system_u:system_r:unconfined_t:s0 [Install] WantedBy=multi-user.target diff --git a/pkg/old/suse/salt-minion.service b/pkg/old/suse/salt-minion.service index 12f28314cb1..b99ef063522 100644 --- a/pkg/old/suse/salt-minion.service +++ b/pkg/old/suse/salt-minion.service @@ -10,6 +10,7 @@ ExecStart=/usr/bin/salt-minion KillMode=process Restart=on-failure RestartSec=15 +SELinuxContext=system_u:system_r:unconfined_t:s0 [Install] WantedBy=multi-user.target diff --git a/pkg/old/suse/salt-minion.service.rhel7 b/pkg/old/suse/salt-minion.service.rhel7 index 69172677140..92cc66d32f4 100644 --- a/pkg/old/suse/salt-minion.service.rhel7 +++ b/pkg/old/suse/salt-minion.service.rhel7 @@ -9,6 +9,7 @@ ExecStart=/usr/bin/salt-minion KillMode=process Restart=on-failure RestartSec=15 +SELinuxContext=system_u:system_r:unconfined_t:s0 [Install] WantedBy=multi-user.target -- 2.46.0
