Permission Denied errors while bootstrapping or running highstate on SUSE Linux Enterprise Micro 5.5 minions
This document (000021835) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Micro 5.5
SUSE Multi-Linux Manager 5.0
SUSE Multi-Linux Manager 4.3
Situation
The SUSE Linux Enterprise Micro 5.5 server is being onboarded to the SUSE Multi-Linux Manager server, or the SUSE Linux Enterprise Micro 5.5 server is already a client of the SUSE Multi-Linux Manager server and is running the Salt highstate. Although everything appears to be working, the following Permission Denied errors appear in the client's Salt logs in the file /var/log/venv-salt-minion.log:
[salt.loaded.int.module.cmdmod:576 ][ERROR ][1234] Environment could not be retrieved for user 'root': stderr='su: failed to execute /bin/sh: Permission denied\n' stdout=''
Audit logs in the file /var/log/audit/audit.log show a transition is denied from unconfined_service_t to unconfined_t when running command su:
type=AVC msg=audit(1716381888.088:128): avc: denied { transition } for pid=1244 comm="su" path="/usr/bin/bash" dev="vda2" ino=5088 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
Resolution
This is a cosmetic issue that does not require a resolution, but this error will not happen if the SELinux context for the venv-salt-minion service is adjusted to unconfined_t. For example, this can be done by creating the file /etc/systemd/system/venv-salt-minion.service.d/selinuxcontext.conf with the following contents:
[Service]
SELinuxContext=system_u:system_r:unconfined_t:s0
Or, a module can instead be created to adjust the SELinux profile so the denial does not occur. For example, the module can be created by running audit2allow -M venv-salt-minion-unconfined with the audit error as standard input like this:
audit2allow -M venv-salt-minion-unconfined <<EOL
type=AVC msg=audit(1716381888.088:128): avc: denied { transition } for pid=1244 comm="su" path="/usr/bin/bash" dev="vda2" ino=5088 scontext=system_u:system_r:unconfined_service_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0 tclass=process permissive=0
EOL
This will create the venv-salt-minion-unconfined.pp file which can be installed like this:
semodule -i venv-salt-minion-unconfined.pp
Once one of these solutions is applied, run these two commands to finish applying the changes:
systemctl daemon-reload
systemctl restart venv-salt-minion
Cause
The issue is caused by Salt's use of su while gathering environment variables from the minion. The venv-salt-minion program is not able to run su using the SELinux configuration that comes with SUSE Linux Enterprise Micro. Salt proceeds without any issue despite missing these environment variables.
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:000021835
- Creation Date: 13-May-2025
- Modified Date:27-May-2025
-
- SUSE Linux Enterprise Micro
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com