Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1416964 - SELinux is preventing groupadd from using the 'net_admin' capabilities.
Summary: SELinux is preventing groupadd from using the 'net_admin' capabilities.
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 26
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:f04853284d36368a5ea00115b9a...
: 1442388 1442714 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-26 23:30 UTC by arturpolak1
Modified: 2018-06-06 06:36 UTC (History)
22 users (show)

Fixed In Version: selinux-policy-3.13.1-257.fc26
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-12 13:06:05 UTC
Type: ---


Attachments (Terms of Use)

Description arturpolak1 2017-01-26 23:30:10 UTC
Description of problem:
SELinux is preventing groupadd from using the 'net_admin' capabilities.

*****  Plugin catchall (100. confidence) suggests   **************************

If jeśli groupadd powinno mieć domyślnie możliwość net_admin.
Then proszę to zgłosić jako błąd.
Można utworzyć lokalny moduł polityki, aby umożliwić ten dostęp.
Do
allow this access for now by executing:
# ausearch -c 'groupadd' --raw | audit2allow -M my-groupadd
# semodule -X 300 -i my-groupadd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Context                unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c102
                              3
Target Objects                Unknown [ capability ]
Source                        groupadd
Source Path                   groupadd
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-235.fc26.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 4.9.5-200.fc25.x86_64 #1 SMP Fri
                              Jan 20 12:24:16 UTC 2017 x86_64 x86_64
Alert Count                   2
First Seen                    2017-01-26 11:30:21 CET
Last Seen                     2017-01-26 11:30:21 CET
Local ID                      f831278a-2b52-4722-b89e-a189fcf66128

Raw Audit Messages
type=AVC msg=audit(1485426621.425:305): avc:  denied  { net_admin } for  pid=19372 comm="groupadd" capability=12  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0


Hash: groupadd,groupadd_t,groupadd_t,capability,net_admin

Version-Release number of selected component:
selinux-policy-3.13.1-235.fc26.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.9.0
hashmarkername: setroubleshoot
kernel:         4.10.0-0.rc5.git1.1.fc26.x86_64
type:           libreport

Comment 1 Fedora End Of Life 2017-02-28 11:04:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 2 arturpolak1 2017-04-17 08:36:46 UTC
*** Bug 1442714 has been marked as a duplicate of this bug. ***

Comment 3 Lukas Vrabec 2017-04-17 18:34:32 UTC
*** Bug 1442388 has been marked as a duplicate of this bug. ***

Comment 4 Lukas Vrabec 2017-04-17 18:54:26 UTC
arturpolak1, 

Do you see something broken on your system in enforcing mode or you just see following alert? 

Thanks,
Lukas.

Comment 5 Pavel Roskin 2017-05-02 01:22:24 UTC
Description of problem:
I tried installing mock using dnf.
It was installed, but I got this violation at the end of the installation.
The mock package adds the mock group in the %prein script
I can reproduce the issue reliably by running:

sudo rpm -e mock
sudo groupdel mock
sudo dnf install mock

I don't know why groupadd needs net_admin capabilities.

Version-Release number of selected component:
selinux-policy-3.13.1-251.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.0-0.rc8.git0.1.fc26.x86_64
type:           libreport

Comment 6 Dawid Zamirski 2017-05-06 21:13:53 UTC
Description of problem:
sudo dnf builddep libvirt


Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.0-1.fc26.x86_64
type:           libreport

Comment 7 Kamil Páral 2017-06-05 10:27:34 UTC
Description of problem:
I was installing a package using dnf. Not sure whether it was related.

Version-Release number of selected component:
selinux-policy-3.13.1-254.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.3-300.fc26.x86_64
type:           libreport

Comment 8 Peter Hjalmarsson 2017-06-05 13:46:08 UTC
Description of problem:
Ran "dnf upgrade --refresh -y"

Version-Release number of selected component:
selinux-policy-3.13.1-254.fc26.noarch

Additional info:
reporter:       libreport-2.9.1
hashmarkername: setroubleshoot
kernel:         4.11.3-300.fc26.x86_64
type:           libreport

Comment 9 Fedora Update System 2017-06-08 11:10:39 UTC
selinux-policy-3.13.1-257.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229

Comment 10 Fedora Update System 2017-06-10 01:09:59 UTC
selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-6a43388229

Comment 11 Fedora Update System 2017-06-12 13:06:05 UTC
selinux-policy-3.13.1-257.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 12 arturpolak1 2018-06-06 06:36:26 UTC
I don't have that machine anymore, and that fedora release is EOL probably too..


Note You need to log in before you can comment on or make changes to this bug.