Bug 953754 - Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t instead of bin_t
Summary: Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t inst...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: selinux-policy
Version: 6.4
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Michal Trunecka
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-04-19 06:18 UTC by Johan Hedin
Modified: 2014-09-30 23:34 UTC (History)
4 users (show)

Fixed In Version: selinux-policy-3.7.19-210.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 953261
Environment:
Last Closed: 2013-11-21 10:23:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1598 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2013-11-20 21:39:24 UTC

Description Johan Hedin 2013-04-19 06:18:42 UTC
+++ This bug was initially created as a clone of Bug #953261 +++

Description of problem:

For nagios, there exists a nagios_unconfined_plugin_exec_t file context that can be used for plugins that not yet have a dedicated context.

But, the current policy assigns bin_t to all files in /usr/lib(64)?/nagios/plugins that does not have a specific context. By comparison, munin plugins in
/usr/share/munin/plugins that does not have a specific selinux file context get unconfined_munin_plugin_exec_t automatically.

Doing the same for nagios plugins would make life easier for those who build a lot of there own plugins.

Three files in /usr/lib(64)?/nagios/plugins from the nagios-plugins package get the context bin_t from the current policy so something like replacing:

/usr/lib/nagios/plugins(/.*)?     system_u:object_r:bin_t:s0

with:

/usr/lib/nagios/plugins/.*       system_u:object_r:nagios_unconfined_plugin_exec_t:s0
/usr/lib/nagios/plugins/negate   system_u:object_r:bin_t:s0
/usr/lib/nagios/plugins/urlize   system_u:object_r:bin_t:s0
/usr/lib/nagios/plugins/utils.sh system_u:object_r:bin_t:s0

should do the trick.


Version-Release number of selected component (if applicable):

selinux-policy-targeted 3.11.1-90

--- Additional comment from Miroslav Grepl on 2013-04-18 03:34:22 EDT ---

Yes, good point.

--- Additional comment from Miroslav Grepl on 2013-04-18 07:28:59 EDT ---

commit 74a92a2b0d9919c7f04c9fcca68d7f7dc916c531
Author: Miroslav Grepl <mgrepl@redhat.com>
Date:   Thu Apr 18 13:19:19 2013 +0200

    Label all nagios plugin as unconfined by default

--- Additional comment from Fedora Update System on 2013-04-18 08:52:25 EDT ---

selinux-policy-3.11.1-91.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-91.fc18

--- Additional comment from Fedora Update System on 2013-04-19 00:49:50 EDT ---

Package selinux-policy-3.11.1-91.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-91.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-6018/selinux-policy-3.11.1-91.fc18
then log in and leave karma (feedback).

--- Additional comment from Johan Hedin on 2013-04-19 02:16:30 EDT ---

Wow, that was quick!

selinux-policy-3.11.1-91 fixes this.

Comment 3 errata-xmlrpc 2013-11-21 10:23:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1598.html


Note You need to log in before you can comment on or make changes to this bug.