| Summary: | SELinux is preventing /usr/sbin/useradd from 'write' accesses on the directory /var/lib/xguest. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Harish Pillay <h.pillay> | ||||
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | high | ||||||
| Version: | 16 | CC: | bodhi.zazen, dominick.grift, dwalsh, mgrepl, redhat-bugzilla | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | x86_64 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | abrt_hash:76d4a23200523af8024dd864bd7187aacc3e0070ea10461df53cd080e4b59263 | ||||||
| Fixed In Version: | xguest-1.0.10-2.fc16 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2011-12-21 17:00:28 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Attachments: |
|
||||||
|
Description
Harish Pillay
2011-12-07 02:39:08 UTC
Created attachment 541657 [details]
File: description
I did run: grep useradd /var/log/audit/audit.log | audit2allow -M mypol and: semodule -i mypol.pp and redid yum install xguest and gives the same sealert exception. This is a policy issue. If you want to fix it now, you cat do it using these steps # systemctl stop auditd.service # semanage permissive -a useradd_t # yum install xguest # systemctl start auditd.service # semanage permissive -d useradd_t Thanks for the suggestion. This is what I just did: # systemctl stop auditd.service # semanage permissive -a useradd_t # yum install xguest -y Loaded plugins: langpacks, presto, refresh-packagekit Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package xguest.noarch 0:1.0.10-1.fc16 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: xguest noarch 1.0.10-1.fc16 fedora 60 k Transaction Summary ================================================================================ Install 1 Package Total download size: 60 k Installed size: 60 k Downloading Packages: xguest-1.0.10-1.fc16.noarch.rpm | 60 kB 00:00 Running Transaction Check Running Transaction Test Transaction Test Succeeded Running Transaction Error in PREIN scriptlet in rpm package xguest-1.0.10-1.fc16.noarch /usr/sbin/semanage: Could not start semanage transaction error: %pre(xguest-1.0.10-1.fc16.noarch) scriptlet failed, exit status 1 Failed: xguest.noarch 0:1.0.10-1.fc16 Complete! So, it looks like there is more to it. Harish Ok, I just built a new version of xguest package that will install in the proper directory and run everything in the post script. We have also fixed up some of the policy to allow useradd to do its thing. xguest-1.0.10-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/xguest-1.0.10-2.fc16 Could you test it with this xguest package and with the latest policy from koji http://koji.fedoraproject.org/koji/buildinfo?buildID=278216 Thank you. *** Bug 765680 has been marked as a duplicate of this bug. *** Package xguest-1.0.10-2.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing xguest-1.0.10-2.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-16944/xguest-1.0.10-2.fc16 then log in and leave karma (feedback). xguest-1.0.10-2.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. The new package installed without any error message in the terminal, but did not configure the xguest account. guest is not listed in the users on the gdm screen, and there is no user guest or xguest in /etc/passwd . yum remove xguest userdel xguest semanage login -d xguest yum install xguest And see if this works correctly. Thank you Daniel Walsh, but that did not work. After those commands, still no user xguest id xguest id: xguest: No such user so I again removed xguest, put selinux into permissive mode, and installed. yum remove xguest setenforce 0 yum install xguest setenforce 1 Now xguest is installed. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers Are there any AVC msgs in permissive mode? $ yum remove xguest $ setenforce 0 $ yum install xguest $ setenforce 1 $ ausearch -m avc -ts recent Thank you Miroslav, no, nothing when running that command (after removing, and re-installing in permissive mode ... ) ausearch -m avc -ts recent <no matches> -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers |