An exception that breaks the stability of the RHEL SELinux policy API

RHEL 7.8 introduced a kernel fix for the CVE-2019-11190 flaw. After the fix, the map and execute permissions are checked against the SELinux target domain instead of the SELinux source domain. As a result of this change, certain SELinux domains require adding an allow rule to be able to execute binary files labeled as bin_t¹.

By fixing this problem, we had to break the promise of the stability of the RHEL SELinux policy API. Specifically, a custom SELinux module may not work the same on two different minor releases of RHEL. We had investigated several ways to address this problem, but we did not find any that would ensure compatibility and the same or a comparable level of security.

For that reason, we chose to fix all problems related to the aforementioned change in the RHEL 7.9 SELinux policy and document the necessary exception. Our solution does not affect the security guarantees of the existing policy and thus aligns with the statements of the maintenance support 2 phase.

On configurations affected by the change, you can see SELinux denials similar to the following example:

type=AVC msg=audit(1587035820.733:86046): avc:  denied  { execute } for  pid=XXXX comm="plugin" path="/usr/bin/perl" dev="dm-1" ino=XXXX scontext=system_u:system_r:domain_script_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

To work around this problem, add the following macro to your custom policies:

corecmd_exec_bin()

For example, to fix the previously listed SELinux denial, add:

corecmd_exec_bin(domain_script_t)

Note that the missing SELinux rules for Nagios are added in the RHEL 7.9 policy. The problem does not affect RHEL 8 systems.

Additional resources

• RHBZ#1827214
• RHBZ#1824625
• Stability of the SELinux Policy API
• Red Hat Enterprise Linux Life Cycle - Maintenance Support 2 Phase