953261 – Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t instead of bin_t

Bug 953261 - Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t instead of bin_t

Summary: Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t inst...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	18
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-04-17 19:27 UTC by Johan Hedin
Modified:	2013-04-20 01:03 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	953754 (view as bug list)
Environment:
Last Closed:	2013-04-20 01:03:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Johan Hedin 2013-04-17 19:27:31 UTC

Description of problem:

For nagios, there exists a nagios_unconfined_plugin_exec_t file context that can be used for plugins that not yet have a dedicated context.

But, the current policy assigns bin_t to all files in /usr/lib(64)?/nagios/plugins that does not have a specific context. By comparison, munin plugins in
/usr/share/munin/plugins that does not have a specific selinux file context get unconfined_munin_plugin_exec_t automatically.

Doing the same for nagios plugins would make life easier for those who build a lot of there own plugins.

Three files in /usr/lib(64)?/nagios/plugins from the nagios-plugins package get the context bin_t from the current policy so something like replacing:

/usr/lib/nagios/plugins(/.*)?     system_u:object_r:bin_t:s0

with:

/usr/lib/nagios/plugins/.*       system_u:object_r:nagios_unconfined_plugin_exec_t:s0
/usr/lib/nagios/plugins/negate   system_u:object_r:bin_t:s0
/usr/lib/nagios/plugins/urlize   system_u:object_r:bin_t:s0
/usr/lib/nagios/plugins/utils.sh system_u:object_r:bin_t:s0

should do the trick.


Version-Release number of selected component (if applicable):

selinux-policy-targeted 3.11.1-90

Comment 1 Miroslav Grepl 2013-04-18 07:34:22 UTC

Yes, good point.

Comment 2 Miroslav Grepl 2013-04-18 11:28:59 UTC

commit 74a92a2b0d9919c7f04c9fcca68d7f7dc916c531
Author: Miroslav Grepl <mgrepl>
Date:   Thu Apr 18 13:19:19 2013 +0200

    Label all nagios plugin as unconfined by default

Comment 3 Fedora Update System 2013-04-18 12:52:25 UTC

selinux-policy-3.11.1-91.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-91.fc18

Comment 4 Fedora Update System 2013-04-19 04:49:50 UTC

Package selinux-policy-3.11.1-91.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-91.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6018/selinux-policy-3.11.1-91.fc18
then log in and leave karma (feedback).

Comment 5 Johan Hedin 2013-04-19 06:16:30 UTC

Wow, that was quick!

selinux-policy-3.11.1-91 fixes this.

Comment 6 Fedora Update System 2013-04-20 01:03:31 UTC

selinux-policy-3.11.1-91.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.