RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1918915 - nagios plugins are incorrectly labelled with nagios_unconfined_plugin_exec_t because the wrong context definition gets precedence
Summary: nagios plugins are incorrectly labelled with nagios_unconfined_plugin_exec_t ...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy
Version: 7.9
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Zdenek Pytela
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2021-01-21 17:07 UTC by Tobias Deiminger
Modified: 2022-01-05 13:40 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-03-02 15:37:06 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Tobias Deiminger 2021-01-21 17:07:56 UTC
Description of problem:

After installing nagios plugins via nagios-plugins (EPEL), they're are labelled with nagios_unconfined_plugin_exec_t, while SELinux reference policy defines more tailored types like nagios_system_plugin_exec_t which should be used instead.

When looking at SOURCES/policy-rhel-7.9-contrib.patch, it seems the intention is correct:
+/usr/lib(64)?/nagios/plugins/check_ping          --      gen_context(system_u:object_r:nagios_services_plugin_exec_t,s0)
+/usr/lib(64)?/nagios/plugins/check_procs --      gen_context(system_u:object_r:nagios_system_plugin_exec_t,s0)

but eventually the patch doesn't do what it's intended to do. It's because there's a path substitution "/usr/lib64 /usr/lib" by file_contexts.subs_dist, and yet another context definition:
+/usr/lib/nagios/plugins/.*       --      gen_context(system_u:object_r:nagios_unconfined_plugin_exec_t,s0)

The pattern "/usr/lib/nagios/plugins/.*" gets precedence over "/usr/lib(64)?/nagios/plugins/check_ping" due to the rule "If the number of characters before the first regular expression in line A is less than the number of characters before the first regular expression in line B, then line B is more specific". 

"/usr/lib/nagios/plugins/.*" wins, and all plugins get the nagios_unconfined_plugin_exec_t type.

How reproducible:

Steps to Reproduce:
1. yum install nagios-plugins-ping nagios-plugins-procs
2. ls -Z /usr/lib64/nagios/plugins/

Actual results:
-rwxr-xr-x. root root   system_u:object_r:nagios_unconfined_plugin_exec_t:s0 check_ping
-rwxr-xr-x. root root   system_u:object_r:nagios_unconfined_plugin_exec_t:s0 check_procs

Expected results:
-rwxr-xr-x. root root   system_u:object_r:nagios_services_plugin_exec_t:s0 check_ping
-rwxr-xr-x. root root   system_u:object_r:nagios_system_plugin_exec_t:s0 check_procs

Additional info:
I have only a CentOS installation at hand, but afaik it's RH where the patches are actually developed.
In CentOS / RHEL 8 the bug is probably gone, because I see no more of these nagios patches on the reference policy.

Comment 3 Zdenek Pytela 2021-03-02 15:37:06 UTC
Red Hat Enterprise Linux 7.9 was the last minor release scheduled for RHEL 7 and the product entered Maintenance Support 2 Phase, when Red Hat defined Critical and Important impact Security Advisories and selected Urgent Priority Bug Fix Advisories may be released as they become available.

This bugzilla does not seem to meet the inclusion criteria for Maintenance Phase 2, therefore it is closing now, but if you believe that it qualifies for the Maintenance Support 2 Phase, please re-open; otherwise, we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Please refer to the Red Hat Enterprise Linux Life Cycle document for more details:

Note You need to log in before you can comment on or make changes to this bug.