Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1260306

Summary: Improper SELinux contexts for nagios cgi executables
Product: Red Hat Enterprise Linux 7 Reporter: Sachi <xcorat>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Jan Zarsky <jzarsky>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: lvrabec, mgrepl, mmalik, plautrba, pvrabec, ssekidde, xcorat
Target Milestone: rcKeywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: selinux-policy-3.13.1-66.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 02:21:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sealert log none

Description Sachi 2015-09-05 20:22:27 UTC 
Description of problem: Selinux denies httpd exec action on cgi scripts due to wrong contexts


Version-Release number of selected component (if applicable): selinux-policy.noarch 3.13.1-23.el7_1.13


How reproducible: Always


Steps to Reproduce:
1. Install Nagios and plugins according to https://assets.nagios.com/downloads/nagioscore/docs/nagioscore/4/en/quickstart-fedora.html, and **don't disable selinux or put it to permissive mode**
2. try to login to http:/localhost/nagios (or equivalent)
3. Check selinux audit log for denied messages (might need to disable dontaudit `#semodule --disable_dontaudit --build`

Actual results: httpd denied exec action, leading to an error in the web (http://localhost/nagios)

error message: type=AVC msg=audit(1441480084.865:710): avc:  denied  { execute } for  pid=5444 comm="httpd" name="statusjson.cgi" dev="dm-1" ino=135240040 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

Check the attached sealert log for details

----------------

Expected results: No denied message and nagios web works similar to when selinux is off


Additional info:
Changing the security contexts of the cgi scripts from 
httpd_sys_content_t to httpd_sys_script_exec_t seem to work
Ex:
chcon -R -t httpd_sys_script_exec_t /usr/local/nagios/sbin
Comment 1 Sachi 2015-09-05 20:23:00 UTC 
Created attachment 1070529 [details]
sealert log
Comment 3 Lukas Vrabec 2015-09-06 18:29:20 UTC 
*** Bug 1260303 has been marked as a duplicate of this bug. ***
Comment 4 Milos Malik 2015-09-07 08:33:26 UTC 
# sesearch -s httpd_t -t httpd_sys_content_t -c file -p execute -A -C
Found 1 semantic av rules:
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
#

Which of following booleans are enabled on your machine?
 * httpd_enable_cgi
 * httpd_unified
 * httpd_builtin_scripting
Comment 5 Sachi 2015-09-07 19:11:32 UTC 
$ getsebool httpd_enable_cgi
httpd_enable_cgi --> on
$ getsebool httpd_unified
httpd_unified --> off
$ getsebool httpd_builtin_scripting
httpd_builtin_scripting --> on

it says sesearch - command not found!
Comment 6 Sachi 2015-09-07 19:15:51 UTC 
nvm, didn't know I had to install setools-console.

# sesearch -s httpd_t -t httpd_sys_content_t -c file -p execute -A -C
Found 1 semantic av rules:
DT allow httpd_t httpdcontent : file { ioctl read write create getattr setattr lock append unlink link rename execute open } ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
Comment 7 Sachi 2015-09-07 19:26:00 UTC 
Alright, setting the boolean

httpd_unified --> on

works. So that is the solution? (Sorry when I posted this on stackof I was said to file a bug report!)
Comment 8 Milos Malik 2015-09-08 06:45:52 UTC 
Yes, the enabling of httpd_unified boolean is the solution, but I must admit that the boolean documentation needs some improvements. I don't understand the purpose of the boolean either :-)

# man httpd_selinux | col -b | grep -C 2 unified

       If you want to unify HTTPD handling of all content files, you must turn
       on the httpd_unified boolean. Disabled by default.

       setsebool -P httpd_unified 1
#
Comment 9 Miroslav Grepl 2015-09-08 18:24:17 UTC 
Where is statusjson.cgi located? You could also change a labeling for it.

httpd_unified boolean is powerfull.
Comment 10 Sachi 2015-09-08 19:49:10 UTC 
Yes, I had changed the context on those files to "httpd_sys_script_exec_t", and it worked. What should be the best solution?
Comment 11 Miroslav Grepl 2015-09-10 15:15:18 UTC 
(In reply to Sachi from comment #10)
> Yes, I had changed the context on those files to "httpd_sys_script_exec_t",
> and it worked. What should be the best solution?

Yes, this is a better solution. We could also think about a new policy but if it works correct, it is fine to have httpd_sys_script_exec_t labeling.
Comment 12 Sachi 2015-09-11 00:14:09 UTC 
Ok, that's kool. Thx.
Comment 14 Mike McCune 2016-03-28 22:59:28 UTC 
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Comment 18 errata-xmlrpc 2016-11-04 02:21:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2283.html