Bug 770206

Summary: Selinux error while installing smstools
Product: [Fedora] Fedora Reporter: info <info>
Component: smstoolsAssignee: Patrick C. F. Ernzer <pcfe>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 16CC: martin, mmahut, pcfe, rmy
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-13 19:11:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description info@kobaltwit.be 2011-12-24 09:11:21 UTC 
Description of problem:
I got the following error while installing smstools via yum:
Error in PREIN scriptlet in rpm package smstools-3.1.14-2.fc15.i686
error: %pre(smstools-3.1.14-2.fc15.i686) scriptlet failed, exit status 12

Version-Release number of selected component (if applicable):
smstools-3.1.14-2.fc15.i686.rpm

How reproducible:
Always

Steps to Reproduce:
1. yum install smstools
  
Actual results:
An selinux security error during installation, causing the installation to be aborted.

Expected results:
Successful installation of smstools

Additional info:
This is the report I get from selinux:
SELinux is preventing /usr/sbin/useradd from write access on the directory /var/lib.

*****  Plugin catchall_labels (83.8 confidence) suggests  ********************

If you want to allow useradd to have write access on the lib directory
Then you need to change the label on /var/lib
Do
# semanage fcontext -a -t FILE_TYPE '/var/lib'
where FILE_TYPE is one of the following: httpd_user_script_exec_type, user_home_type, pcscd_var_run_t, home_root_t, user_home_dir_t, httpd_user_content_type, mail_spool_t, etc_t. 
Then execute: 
restorecon -v '/var/lib'


*****  Plugin catchall (17.1 confidence) suggests  ***************************

If you believe that useradd should be allowed write access on the lib directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep useradd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

Additional Information:
Source Context                unconfined_u:system_r:useradd_t:s0-s0:c0.c1023
Target Context                system_u:object_r:var_lib_t:s0
Target Objects                /var/lib [ dir ]
Source                        useradd
Source Path                   /usr/sbin/useradd
Port                          <Unknown>
Host                          legolas.kobaltwit.lan
Source RPM Packages           shadow-utils-4.1.4.3-10.fc16
Target RPM Packages           filesystem-2.4.44-1.fc16
Policy RPM                    selinux-policy-3.10.0-64.fc16
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     legolas.kobaltwit.lan
Platform                      Linux legolas.kobaltwit.lan 3.1.5-6.fc16.i686.PAE
                              #1 SMP Thu Dec 15 16:19:31 UTC 2011 i686 i686
Alert Count                   1
First Seen                    za 24 dec 2011 09:42:42 CET
Last Seen                     za 24 dec 2011 09:42:42 CET
Local ID                      a128e209-6c32-4fbf-aca6-7a5c8a8d36f6

Raw Audit Messages
type=AVC msg=audit(1324716162.276:86): avc:  denied  { write } for  pid=3336 comm="useradd" name="lib" dev=dm-1 ino=390146 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir


type=SYSCALL msg=audit(1324716162.276:86): arch=i386 syscall=mkdir success=no exit=EACCES a0=bf96d72e a1=0 a2=bf96c8d4 a3=1 items=0 ppid=3328 pid=3336 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts24 ses=2 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

Hash: useradd,useradd_t,var_lib_t,dir,write

audit2allow

#============= useradd_t ==============
#!!!! The source type 'useradd_t' can write to a 'dir' of the following types:
# httpd_user_script_exec_type, user_home_type, pcscd_var_run_t, home_root_t, user_home_dir_t, httpd_user_content_type, mail_spool_t, etc_t

allow useradd_t var_lib_t:dir write;

audit2allow -R

#============= useradd_t ==============
#!!!! The source type 'useradd_t' can write to a 'dir' of the following types:
# httpd_user_script_exec_type, user_home_type, pcscd_var_run_t, home_root_t, user_home_dir_t, httpd_user_content_type, mail_spool_t, etc_t

allow useradd_t var_lib_t:dir write;
Comment 2 Martin Dengler 2012-07-21 16:19:21 UTC 
I have this issue as well.  I solved it the way Miroslav recommended in https://bugzilla.redhat.com/show_bug.cgi?id=760813#c3 :

systemctl stop auditd.service                                                                                                                          
semanage permissive -a useradd_t                                                                                                                       
yum -y install smstools                                                                                                                                
systemctl start auditd.service                                                                                                                         
semanage permissive -d useradd_t

The semanage commands each took about five minutes for me, so wait for them to run...
Comment 4 Fedora End Of Life 2013-01-16 15:57:15 UTC 
This message is a reminder that Fedora 16 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 16. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '16'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 16's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 16 is end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" and open it against that version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 5 Patrick C. F. Ernzer 2013-01-30 21:23:50 UTC 
note: while this bug will be auto-closed soon. it's being tracked for
 F17 as Bug 878842
 F18 as Bug 853556
Comment 6 Fedora End Of Life 2013-02-13 19:11:31 UTC 
Fedora 16 changed to end-of-life (EOL) status on 2013-02-12. Fedora 16 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.