Bug 1478118
| Summary: | system update blocked by PREIN error in setroubleshoot-server | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Przemek Klosowski <przemek> |
| Component: | setroubleshoot | Assignee: | Vit Mojzis <vmojzis> |
| Status: | CLOSED ERRATA | QA Contact: | Milos Malik <mmalik> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | dapospis, lvrabec, mgrepl, mmalik, plautrba, przemek |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-30 09:47:31 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Przemek Klosowski
2017-08-03 15:41:54 UTC
A workaround is to delete the packages and group setroubleshoot, and reinstall: yum erase setroubleshoot* groupdel setroubleshoot yum install setroubleshoot* I managed to reproduce the situation you described, but I had to delete the setroubleshoot user and then create the setroubleshoot group manually. Could you run following commands before "yum update" on the machine where the situation still happens? # getent passwd setroubleshoot # getent group setroubleshoot Thank you! We could be more defensive and check for the existence of setroubleshoot group first:
diff --git a/setroubleshoot.spec b/setroubleshoot.spec
index 98cff01..608df0d 100644
--- a/setroubleshoot.spec
+++ b/setroubleshoot.spec
@@ -124,7 +124,8 @@ about the problem and help track its resolution. Alerts can be configured
to user preference. The same tools can be run on existing log files.
%pre server
-getent passwd %{username} >/dev/null || useradd -r -U -s /sbin/nologin -d %{pkgvardatadir} %{username}
+getent group %{username} >/dev/null || groupadd -r %{username}
+getent passwd %{username} >/dev/null || useradd -r -g %{username} -s /sbin/nologin -d %{pkgvardatadir} %{username}
%post server
%systemd_post auditd.service
sorry, I don't have a machine with this problem any more. I did check that when the problem was appearing, the group 'setroubleshoot' existed in /etc/group (IIRC group number was 993) but the user 'setroubleshoot' did not appear in /etc/passwd
After I executed my workaround, the group and user were created.
[root@comsolcalc comsol]# getent passwd setroubleshoot
setroubleshoot:x:994:989::/var/lib/setroubleshoot:/sbin/nologin
[root@comsolcalc comsol]# getent group setroubleshoot
setroubleshoot:x:989:
This may be related to the fact that we are trying to apply CIS hardening guidelines, which include removing setroubleshoot. Now, the root cause of this may be some RPM packaging issues: I noticed that erasing setroubleshoot does not affect setroubleshoot{-plugins,-server}, so there may be some cleanup issues. We may have removed and reinstalled setroubleshoot while messing with the CIS ansible rules. Please take a look at the pre/postinst scripts: perhaps they mess up group/user creation and/or detection when the package is installed/removed.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3100 |