Bug 856548

Summary: current policy prevents adding users to groups
Product: [Fedora] Fedora Reporter: Matthias Runge <mrunge>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: dominick.grift, dwalsh, mgrepl, pbrady
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-12 11:12:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 854981    

Description Matthias Runge 2012-09-12 09:44:02 UTC 
Description of problem:

take a fresh installed f17, (including updates), then run e.g
yum install mysql-server

results in:
Transaction Test Succeeded
Running Transaction
  Installing : mysql-server-5.5.27-1.fc17.x86_64                            1/1 
warning: user mysql does not exist - using root
warning: group mysql does not exist - using root
warning: user mysql does not exist - using root
warning: group mysql does not exist - using root
warning: user mysql does not exist - using root
warning: group mysql does not exist - using root
  Verifying  : mysql-server-5.5.27-1.fc17.x86_64                            1/1 


type=ADD_GROUP msg=audit(1347435072.926:84): pid=1658 uid=0 auid=1000 ses=2 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="mysql" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1347435072.928:85): pid=1658 uid=0 auid=1000 ses=2 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="mysql" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1347435072.929:86): pid=1658 uid=0 auid=1000 ses=2 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="mysql" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'



(reproducible also with openstack-nova, openstack-glance, qpidd, etc.)

Version-Release number of selected component (if applicable):
[root@localhost audit]# rpm -qa | grep selinux
libselinux-utils-2.1.10-3.fc17.x86_64
selinux-policy-devel-3.10.0-146.fc17.noarch
libselinux-2.1.10-3.fc17.x86_64
selinux-policy-targeted-3.10.0-146.fc17.noarch
libselinux-python-2.1.10-3.fc17.x86_64
selinux-policy-3.10.0-146.fc17.noarch


How reproducible:
100%

Steps to Reproduce:
1. fresh install f17, install updates during install
2. boot up
3. yum install mysql-server
  
Actual results:
see above

Expected results:
no denies

Additional info:
Comment 1 Pádraig Brady 2012-09-12 10:06:57 UTC 
I can't reproduce this at all?

# getenforce 
Enforcing

# id mysql
id: mysql: no such user

# yum update

# rpm -qa "*selinux*"
selinux-policy-devel-3.10.0-146.fc17.noarch
selinux-policy-targeted-3.10.0-146.fc17.noarch
selinux-policy-3.10.0-146.fc17.noarch
libselinux-2.1.10-3.fc17.x86_64
libselinux-python-2.1.10-3.fc17.x86_64
libselinux-utils-2.1.10-3.fc17.x86_64

# yum install mysql-server

# id mysql
uid=27(mysql) gid=27(mysql) groups=27(mysql)
Comment 2 Pádraig Brady 2012-09-12 11:12:35 UTC 
This seems intermittent.
I didn't experience in 3 tries
Matthias had issue in 2 of 3 tries

*** This bug has been marked as a duplicate of bug 844167 ***