Bug 859532

Summary: radvd: permission denied when calling useradd/groupadd during installation
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dominick.grift, dwalsh, jpopelka, mgrepl, ppisar
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-09-24 10:35:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard W.M. Jones 2012-09-21 18:53:26 UTC 
Description of problem:

During install of radvd on Rawhide with SELinux Enforcing:

/var/tmp/rpm-tmp.YDgPJ2: line 1: /sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.YDgPJ2: line 3: /sbin/useradd: Permission denied
  Installing : radvd-1.9.1-4.fc19.x86_64                                 64/112 
warning: user radvd does not exist - using root
warning: group radvd does not exist - using root

Version-Release number of selected component (if applicable):

radvd-1.9.1-4.fc19.x86_64

How reproducible:

Happened once.
Comment 1 Petr Pisar 2012-09-24 08:28:49 UTC 
What's your selinux-policy version? I believe this is regression in SELinux policy (bug #809735) that has been already reported and seemingly fixed, or some files are mislabeled in your system.
Comment 2 Petr Pisar 2012-09-24 08:43:15 UTC 
I cannot reproduce your problem with current selinux-policy-3.11.1-18.fc18.noarch and following labels:

# ls -lZ /etc/group* /etc/gshadow*
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group-
----------. root root system_u:object_r:shadow_t:s0    /etc/gshadow
----------. root root system_u:object_r:shadow_t:s0    /etc/gshadow-

If you still suffer from the problem, you will need to find help from SELinux maintainers by reassigning this report to selinux-policy component.
Comment 3 Richard W.M. Jones 2012-09-24 08:55:16 UTC 
My password and group files are labelled the same way.

selinux-policy 3.11.1-7.fc18

(Before and after the update -- selinux-policy was not
updated during this transaction)

More info to follow ..
Comment 4 Richard W.M. Jones 2012-09-24 09:02:26 UTC 
Well there was going to be more info, but now this
machine goes into an infinite loop in dracut.  Can't
be booted ...

Note this is Rawhide, not F18.
Comment 5 Petr Pisar 2012-09-24 09:11:06 UTC 
I know it's F19. SELinux guys do not build for rawhide thus the policy package has f18 tag. I performed the test on just updated F19.

I'm moving this report to selinux-policy because the radvd package script runs under rpm identity and it's confined by SELinux.
Comment 6 Miroslav Grepl 2012-09-24 09:48:46 UTC 
I would need to see outputs of

# semodule -DB
# yum install <whatever_causes_issue>
# ausearch -m avc -ts recent
Comment 7 Richard W.M. Jones 2012-09-24 10:35:39 UTC 
Never mind .. after downgrading radvd and upgrading radvd,
the error message is gone.  So I'll say that this has been
fixed in rawhide.