Description of problem: SELinux is preventing /usr/sbin/groupadd from 'write' accesses on the file /etc/group-. ***** Plugin restorecon (94.8 confidence) suggests ************************ If you want to fix the label. /etc/group- default label should be passwd_file_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/group- ***** Plugin catchall_labels (5.21 confidence) suggests ******************* If you want to allow groupadd to have write access on the group- file Then you need to change the label on /etc/group- Do # semanage fcontext -a -t FILE_TYPE '/etc/group-' where FILE_TYPE is one of the following: afs_cache_t, faillog_t, initrc_tmp_t, lastlog_t, passwd_file_t, puppet_tmp_t, security_t, shadow_t, user_cron_spool_t, user_tmp_t. Then execute: restorecon -v '/etc/group-' ***** Plugin catchall (1.44 confidence) suggests ************************** If you believe that groupadd should be allowed write access on the group- file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep groupadd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102 3 Target Context system_u:object_r:etc_t:s0 Target Objects /etc/group- [ file ] Source groupadd Source Path /usr/sbin/groupadd Port <Unknown> Host (removed) Source RPM Packages shadow-utils-4.1.5.1-13.fc21.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-63.fc21.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.16.0-0.rc4.git2.1.fc22.x86_64 #1 SMP Wed Jul 9 17:15:03 UTC 2014 x86_64 x86_64 Alert Count 1 First Seen 2014-07-12 22:21:09 CEST Last Seen 2014-07-12 22:21:09 CEST Local ID 106f8593-7c2b-4d3d-bb27-170a1d618aa2 Raw Audit Messages type=AVC msg=audit(1405196469.584:724): avc: denied { write } for pid=31188 comm="groupadd" name="group-" dev="dm-0" ino=1837543 scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 type=SYSCALL msg=audit(1405196469.584:724): arch=x86_64 syscall=open success=no exit=EACCES a0=7fff92f40e70 a1=241 a2=1b6 a3=3a745f656c69665f items=0 ppid=31187 pid=31188 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=groupadd exe=/usr/sbin/groupadd subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) Hash: groupadd,groupadd_t,etc_t,file,write Version-Release number of selected component: selinux-policy-3.13.1-63.fc21.noarch Additional info: reporter: libreport-2.2.2 hashmarkername: setroubleshoot kernel: 3.16.0-0.rc4.git2.1.fc22.x86_64 type: libreport Potential duplicate: bug 875387
If you want to fix the label. /etc/group- default label should be passwd_file_t. Then you can run restorecon. Do # /sbin/restorecon -v /etc/group-
I have not created the file by myself to my knowledge, so how it could get wrong label? You suggest to fix the consequences not the reason. Sorry if I am missing something obvious ...
JFTR, this is quite fresh installed Rawhide machine, so may be Anaconda or something else is creating this file with wrong label?
With an unconfined domain just about everything that can create this file would with the right label. Potentially it could have been a relabel. I know there was a bug in anaconda/rpm that was creating files with the wrong labels, could have been caused by that.
*** This bug has been marked as a duplicate of bug 1119766 ***