Permission Denied errors while bootstrapping or running highstate on SUSE Linux Enterprise Micro 5.5 minions

This document (000021835) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Micro 5.5

SUSE Multi-Linux Manager 5.0

SUSE Multi-Linux Manager 4.3

Situation

The SUSE Linux Enterprise Micro 5.5 server is being onboarded to the SUSE Multi-Linux Manager server, or the SUSE Linux Enterprise Micro 5.5 server is already a client of the SUSE Multi-Linux Manager server and is running the Salt highstate. Although everything appears to be working, the following Permission Denied errors appear in the client's Salt logs in the file /var/log/venv-salt-minion.log:

[salt.loaded.int.module.cmdmod:576 ][ERROR   ][1234] Environment could not be retrieved for user 'root': stderr='su: failed to execute /bin/sh: Permission denied\n' stdout=''

Audit logs in the file /var/log/audit/audit.log show a transition is denied from unconfined_service_t to unconfined_t when running command su:

type=AVC msg=audit(1716381888.088:128): avc:  denied  { transition } for  pid=1244 comm="su" path="/usr/bin/bash" dev="vda2" ino=5088 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0

Resolution

This is a cosmetic issue that does not require a resolution, but this error will not happen if the SELinux context for the venv-salt-minion service is adjusted to unconfined_t. For example, this can be done by creating the file /etc/systemd/system/venv-salt-minion.service.d/selinuxcontext.conf with the following contents:

[Service]
SELinuxContext=system_u:system_r:unconfined_t:s0

Or, a module can instead be created to adjust the SELinux profile so the denial does not occur. For example, the module can be created by running audit2allow -M venv-salt-minion-unconfined with the audit error as standard input like this:

audit2allow -M venv-salt-minion-unconfined <<EOL
type=AVC msg=audit(1716381888.088:128): avc:  denied  { transition } for  pid=1244 comm="su" path="/usr/bin/bash" dev="vda2" ino=5088 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
EOL

This will create the venv-salt-minion-unconfined.pp file which can be installed like this:

semodule -i venv-salt-minion-unconfined.pp

Once one of these solutions is applied, run these two commands to finish applying the changes:

systemctl daemon-reload
systemctl restart venv-salt-minion

Cause

The issue is caused by Salt's use of su while gathering environment variables from the minion. The venv-salt-minion program is not able to run su using the SELinux configuration that comes with SUSE Linux Enterprise Micro. Salt proceeds without any issue despite missing these environment variables.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

Document ID:000021835
Creation Date: 13-May-2025
Modified Date:27-May-2025
- SUSE Linux Enterprise Micro

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.

Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Report a Software Vulnerability

Go to Customer Center

SUSE Support

Here When You Need Us