Bug 1918915

Summary: nagios plugins are incorrectly labelled with nagios_unconfined_plugin_exec_t because the wrong context definition gets precedence
Product: Red Hat Enterprise Linux 7 Reporter: Tobias Deiminger <haxtibal>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: low    
Version: 7.9CC: lvrabec, mmalik, plautrba, ssekidde, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-02 15:37:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tobias Deiminger 2021-01-21 17:07:56 UTC 
Description of problem:

After installing nagios plugins via nagios-plugins (EPEL), they're are labelled with nagios_unconfined_plugin_exec_t, while SELinux reference policy defines more tailored types like nagios_system_plugin_exec_t which should be used instead.

When looking at SOURCES/policy-rhel-7.9-contrib.patch, it seems the intention is correct:
+/usr/lib(64)?/nagios/plugins/check_ping          --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)

but eventually the patch doesn't do what it's intended to do. It's because there's a path substitution "/usr/lib64 /usr/lib" by file_contexts.subs_dist, and yet another context definition:
+/usr/lib/nagios/plugins/.*       --      gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)

The pattern "/usr/lib/nagios/plugins/.*" gets precedence over "/usr/lib(64)?/nagios/plugins/check_ping" due to the rule "If the number of characters before the first regular expression in line A is less than the number of characters before the first regular expression in line B, then line B is more specific". 

"/usr/lib/nagios/plugins/.*" wins, and all plugins get the nagios_unconfined_plugin_exec_t type.

How reproducible:

Steps to Reproduce:
1. yum install nagios-plugins-ping nagios-plugins-procs
2. ls -Z /usr/lib64/nagios/plugins/

Actual results:
-rwxr-xr-x. root root   system_u:object_r:nagios_unconfined_plugin_exec_t:s0 check_ping
-rwxr-xr-x. root root   system_u:object_r:nagios_unconfined_plugin_exec_t:s0 check_procs

Expected results:
-rwxr-xr-x. root root   system_u:object_r:nagios_services_plugin_exec_t:s0 check_ping
-rwxr-xr-x. root root   system_u:object_r:nagios_system_plugin_exec_t:s0 check_procs


Additional info:
I have only a CentOS installation at hand, but afaik it's RH where the patches are actually developed.
In CentOS / RHEL 8 the bug is probably gone, because I see no more of these nagios patches on the reference policy.
Comment 3 Zdenek Pytela 2021-03-02 15:37:06 UTC 
Red Hat Enterprise Linux 7.9 was the last minor release scheduled for RHEL 7 and the product entered Maintenance Support 2 Phase, when Red Hat defined Critical and Important impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be released as they become available.

This bugzilla does not seem to meet the inclusion criteria for Maintenance Phase 2, therefore it is closing now, but if you believe that it qualifies for the Maintenance Support 2 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Please refer to the Red Hat Enterprise Linux Life Cycle document for more details:
https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_2_Phase