Red Hat Bugzilla – Bug 953754
Label not yet confined nagios plugins as nagios_unconfined_plugin_exec_t instead of bin_t
Last modified: 2014-09-30 19:34:43 EDT
+++ This bug was initially created as a clone of Bug #953261 +++ Description of problem: For nagios, there exists a nagios_unconfined_plugin_exec_t file context that can be used for plugins that not yet have a dedicated context. But, the current policy assigns bin_t to all files in /usr/lib(64)?/nagios/plugins that does not have a specific context. By comparison, munin plugins in /usr/share/munin/plugins that does not have a specific selinux file context get unconfined_munin_plugin_exec_t automatically. Doing the same for nagios plugins would make life easier for those who build a lot of there own plugins. Three files in /usr/lib(64)?/nagios/plugins from the nagios-plugins package get the context bin_t from the current policy so something like replacing: /usr/lib/nagios/plugins(/.*)? system_u:object_r:bin_t:s0 with: /usr/lib/nagios/plugins/.* system_u:object_r:nagios_unconfined_plugin_exec_t:s0 /usr/lib/nagios/plugins/negate system_u:object_r:bin_t:s0 /usr/lib/nagios/plugins/urlize system_u:object_r:bin_t:s0 /usr/lib/nagios/plugins/utils.sh system_u:object_r:bin_t:s0 should do the trick. Version-Release number of selected component (if applicable): selinux-policy-targeted 3.11.1-90 --- Additional comment from Miroslav Grepl on 2013-04-18 03:34:22 EDT --- Yes, good point. --- Additional comment from Miroslav Grepl on 2013-04-18 07:28:59 EDT --- commit 74a92a2b0d9919c7f04c9fcca68d7f7dc916c531 Author: Miroslav Grepl <mgrepl@redhat.com> Date: Thu Apr 18 13:19:19 2013 +0200 Label all nagios plugin as unconfined by default --- Additional comment from Fedora Update System on 2013-04-18 08:52:25 EDT --- selinux-policy-3.11.1-91.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-91.fc18 --- Additional comment from Fedora Update System on 2013-04-19 00:49:50 EDT --- Package selinux-policy-3.11.1-91.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-91.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-6018/selinux-policy-3.11.1-91.fc18 then log in and leave karma (feedback). --- Additional comment from Johan Hedin on 2013-04-19 02:16:30 EDT --- Wow, that was quick! selinux-policy-3.11.1-91 fixes this.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1598.html