Bug 1497081

Summary: rpm failed to add service group - avc: denied { dac_override } for comm="groupadd"
Product: [Fedora] Fedora Reporter: Dominic P Geevarghese <dominicpg>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, dwalsh, ipa-maint, jhrozek, lsm5, lvrabec, mgrepl, mkosek, plautrba, pmoore, pvoborni, pvrabec, rcritten, ssorce, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-20 11:22:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
selinux-debug-audit.log none

Description Dominic P Geevarghese 2017-09-29 07:14:05 UTC
Description of problem:

freeipa-server-4.6.1-1.fc28 installation failed on latest Rawhide.

Version-Release number of selected component (if applicable):

freeipa-server-4.6.1-1.fc28
Fedora-Server-dvd-x86_64-Rawhide-20170928.n.1.iso

Steps to Reproduce:

Install freeipa server

Actual results:

dnf install of freeipa-server package failed with

groupadd: cannot open /etc/gshadow
useradd: group 'kdcproxy' does not exist
groupadd: cannot open /etc/gshadow
useradd: group 'ipaapi' does not exist
id: ‘apache’: no such user
usermod: group 'ipaapi' does not exist
error: %prein(freeipa-server-4.6.1-1.fc28.x86_64) scriptlet failed, exit status 6
error: freeipa-server-4.6.1-1.fc28.x86_64: install failed


Thanks,
Dominic Geevarghese

Comment 1 Alexander Bokovoy 2017-09-29 07:20:38 UTC
There seems to be an issue with groupadd. I don't think a leaf package like freeipa-server is the cause of it, though. It needs to be investigated as part of shadow-utils (groupadd is part of shadow-utils).

Comment 2 Alexander Bokovoy 2017-09-29 07:22:12 UTC
Moving to shadow-utils.

Comment 3 Dominic P Geevarghese 2017-09-29 08:57:32 UTC
Created attachment 1332300 [details]
selinux-debug-audit.log

that's right. I left machine for freeipa installation and when returned, noticed just the last error reported by freeipa.sorry guys. checked again and it turned out 'selinux' is not happy.

type=AVC msg=audit(1506675060.957:227): avc:  denied  { dac_override } for  pid=1114 comm="groupadd" capability=1  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0

attached audit.log for review.