RedHat-family 6.x may fail file.managed.check_cmd if SELinux is enabled (includes fix)

[johnnybubonic]

Description of Issue/Question

When attempting a file.managed.check_cmd on RedHat family on (presumably) all 6.x versions, if SELinux is enabled then the check will always fail with a "Permission denied".

I have the full details (and a fix with a compiled SELinux policy package, ready to go!) in saltstack-formulas/openssh-formula#147. I have also included an example state that will apply said module, though as the docs suggest it pulls in policycoreutils and policycoreutils-python as dependencies.

Setup

Tested on a CentOS 6.10 VM minion and a Centos 7.6 VM master.

Steps to Reproduce Issue

See saltstack-formulas/openssh-formula#147 for more details.

Versions Report

master:

Salt Version:
           Salt: 2018.3.3
 
Dependency Versions:
           cffi: 1.11.5
       cherrypy: unknown
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8
        libgit2: 0.26.8
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.5.6
   mysql-python: Not Installed
      pycparser: 2.17
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: 0.26.4
         Python: 3.4.9 (default, Aug 14 2018, 21:28:57)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 15.3.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.4.2
            ZMQ: 4.1.4
 
System Versions:
           dist: centos 7.6.1810 Core
         locale: UTF-8
        machine: x86_64
        release: 3.10.0-957.1.3.el7.x86_64
         system: Linux
        version: CentOS Linux 7.6.1810 Core

minion:

Salt Version:
           Salt: 2018.3.3
 
Dependency Versions:
           cffi: Not Installed
       cherrypy: Not Installed
       dateutil: Not Installed
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.8.1
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: Not Installed
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.13 (default, Mar 30 2018, 15:31:59)
   python-gnupg: Not Installed
         PyYAML: 3.11
          PyZMQ: 14.5.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.5
 
System Versions:
           dist: centos 6.10 Final
         locale: UTF-8
        machine: x86_64
        release: 2.6.32-754.10.1.el6.x86_64
         system: Linux
        version: CentOS 6.10 Final

[johnnybubonic]

worth noting that this does not happen on CentOS 7.6 at the very least, presumably due to a revised default policy.

[johnnybubonic]

this actually has more to do with the openssh-formula more than anything now that i think about it, since it was a policy applied to sshd. closing