Bug 1497091

Summary: brlapi uninstallable on Rawhide armv7
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: selinux-policyAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, gwync, jskarvad, karsten, lsm5, lvrabec, mgrepl, ovasik, pknirsch, plautrba, pmoore, pvrabec, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: armv7l   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-20 11:20:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 910269    

Description Richard W.M. Jones 2017-09-29 07:33:52 UTC
Description of problem:

$ sudo dnf install /usr/lib/libbrlapi.so.0.6 
Last metadata expiration check: 1:09:12 ago on Fri 29 Sep 2017 02:20:59 EDT.
Dependencies resolved.
================================================================================
 Package         Arch             Version                Repository        Size
================================================================================
Installing:
 brlapi          armv7hl          0.6.6-9.fc28           rawhide          150 k

Transaction Summary
================================================================================
Install  1 Package

Total download size: 150 k
Installed size: 416 k
Is this ok [y/N]: y
Downloading Packages:
brlapi-0.6.6-9.fc28.armv7hl.rpm                 3.2 MB/s | 150 kB     00:00    
--------------------------------------------------------------------------------
Total                                           134 kB/s | 150 kB     00:01     
warning: /var/cache/dnf/rawhide-805c449d99b9520f/packages/brlapi-0.6.6-9.fc28.armv7hl.rpm: Header V3 RSA/SHA256 Signature, key ID 9db62fb1: NOKEY
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Running scriptlet: brlapi-0.6.6-9.fc28.armv7hl                            1/1 
groupadd: cannot open /etc/gshadow
error: %prein(brlapi-0.6.6-9.fc28.armv7hl) scriptlet failed, exit status 10
Error in PREIN scriptlet in rpm package brlapi
Error in PREIN scriptlet in rpm package brlapi
brlapi-0.6.6-9.fc28.armv7hl was supposed to be installed but is not!
  Verifying        : brlapi-0.6.6-9.fc28.armv7hl                            1/1 

Failed:
  brlapi.armv7hl 0.6.6-9.fc28                                                   

Error: Transaction failed

Comment 1 Richard W.M. Jones 2017-09-29 07:34:46 UTC
$ ll /etc/gshadow
----------. 1 root root 443 Sep 28 17:22 /etc/gshadow

Comment 2 Richard W.M. Jones 2017-09-29 07:37:09 UTC
I had to set gshadow to 0666 (!) to install this package.  Even 0600
didn't work.

Comment 3 Gwyn Ciesla 2017-09-29 12:49:46 UTC
%pre -n brlapi
getent group brlapi >/dev/null || groupadd -r brlapi >/dev/null

Sounds like a bug in setup.

Comment 4 Ondrej Vasik 2017-10-03 13:23:35 UTC
No, definitely not a bug in setup - gshadow is handled through capabilities intentionally. Let's reassign that to shadow-utils - where utilities for adding groups and users live - but gshadow will stay as 000 , 666 is just number of devil and wrong for /etc/shadow and /etc/gshadow.

Comment 5 Tomas Mraz 2017-10-03 13:39:33 UTC
This is fallout from the no dac_override policy change.

Comment 6 Lukas Vrabec 2017-10-04 08:16:48 UTC
Tomas is right. 

Fixes will be available in next selinux-policy rawhide build.