Bug 953754

Summary: Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t instead of bin_t
Product: Red Hat Enterprise Linux 6 Reporter: Johan Hedin <johan.o.hedin>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4CC: dwalsh, ebenes, mmalik, mtruneck
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.7.19-210.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 953261 Environment:
Last Closed: 2013-11-21 10:23:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Johan Hedin 2013-04-19 06:18:42 UTC 
+++ This bug was initially created as a clone of Bug #953261 +++

Description of problem:

For nagios, there exists a nagios_unconfined_plugin_exec_t file context that can be used for plugins that not yet have a dedicated context.

But, the current policy assigns bin_t to all files in /usr/lib(64)?/nagios/plugins that does not have a specific context. By comparison, munin plugins in
/usr/share/munin/plugins that does not have a specific selinux file context get unconfined_munin_plugin_exec_t automatically.

Doing the same for nagios plugins would make life easier for those who build a lot of there own plugins.

Three files in /usr/lib(64)?/nagios/plugins from the nagios-plugins package get the context bin_t from the current policy so something like replacing:

/usr/lib/nagios/plugins(/.*)?     system_u:object_r:bin_t:s0

with:

/usr/lib/nagios/plugins/.*       system_u:object_r:nagios_unconfined_plugin_exec_t:s0
/usr/lib/nagios/plugins/negate   system_u:object_r:bin_t:s0
/usr/lib/nagios/plugins/urlize   system_u:object_r:bin_t:s0
/usr/lib/nagios/plugins/utils.sh system_u:object_r:bin_t:s0

should do the trick.


Version-Release number of selected component (if applicable):

selinux-policy-targeted 3.11.1-90

--- Additional comment from Miroslav Grepl on 2013-04-18 03:34:22 EDT ---

Yes, good point.

--- Additional comment from Miroslav Grepl on 2013-04-18 07:28:59 EDT ---

commit 74a92a2b0d9919c7f04c9fcca68d7f7dc916c531
Author: Miroslav Grepl <mgrepl>
Date:   Thu Apr 18 13:19:19 2013 +0200

    Label all nagios plugin as unconfined by default

--- Additional comment from Fedora Update System on 2013-04-18 08:52:25 EDT ---

selinux-policy-3.11.1-91.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-91.fc18

--- Additional comment from Fedora Update System on 2013-04-19 00:49:50 EDT ---

Package selinux-policy-3.11.1-91.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-91.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6018/selinux-policy-3.11.1-91.fc18
then log in and leave karma (feedback).

--- Additional comment from Johan Hedin on 2013-04-19 02:16:30 EDT ---

Wow, that was quick!

selinux-policy-3.11.1-91 fixes this.
Comment 3 errata-xmlrpc 2013-11-21 10:23:23 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html