Bug 1478118 - system update blocked by PREIN error in setroubleshoot-server
system update blocked by PREIN error in setroubleshoot-server
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: setroubleshoot (Show other bugs)
All Linux
unspecified Severity unspecified
: rc
: ---
Assigned To: Vit Mojzis
Milos Malik
Depends On:
  Show dependency treegraph
Reported: 2017-08-03 11:41 EDT by Przemek Klosowski
Modified: 2018-01-09 07:40 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Przemek Klosowski 2017-08-03 11:41:54 EDT
Description of problem:
system update blocked by PREIN error in setroubleshoot-server

Version-Release number of selected component (if applicable):
setroubleshoot-server.x86_64 0:

How reproducible: every time

Steps to Reproduce:
1.yum update

Actual results:
Loaded plugins: product-id, search-disabled-repos, subscription-manager
Resolving Dependencies
--> Running transaction check
---> Package setroubleshoot-server.x86_64 0: will be updated
---> Package setroubleshoot-server.x86_64 0:3.2.28-3.el7 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

 Package                                             Arch                                 Version                                       Repository                                        Size
 setroubleshoot-server                               x86_64                               3.2.28-3.el7                                  rhel-7-server-rpms                               384 k

Transaction Summary
Upgrade  1 Package

Total download size: 384 k
Is this ok [y/d/N]: y
Downloading packages:
No Presto metadata available for rhel-7-server-rpms
setroubleshoot-server-3.2.28-3.el7.x86_64.rpm                                                                                                                           | 384 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
useradd: group setroubleshoot exists - if you want to add this user to that group, use -g.
error: %pre(setroubleshoot-server-3.2.28-3.el7.x86_64) scriptlet failed, exit status 9
Error in PREIN scriptlet in rpm package setroubleshoot-server-3.2.28-3.el7.x86_64
setroubleshoot-server- was supposed to be removed but is not!
  Verifying  : setroubleshoot-server-                                                                                                                                 1/2 
  Verifying  : setroubleshoot-server-3.2.28-3.el7.x86_64                                                                                                                                   2/2 

  setroubleshoot-server.x86_64 0:                                                   setroubleshoot-server.x86_64 0:3.2.28-3.el7                                                  


Expected results: successful update without errors
Comment 2 Przemek Klosowski 2017-08-03 11:47:17 EDT
A workaround is to delete the packages and group setroubleshoot, and reinstall:
yum erase setroubleshoot*
groupdel setroubleshoot
yum install setroubleshoot*
Comment 3 Milos Malik 2017-08-04 05:14:35 EDT
I managed to reproduce the situation you described, but I had to delete the setroubleshoot user and then create the setroubleshoot group manually.

Could you run following commands before "yum update" on the machine where the situation still happens?

# getent passwd setroubleshoot
# getent group setroubleshoot

Thank you!
Comment 4 Petr Lautrbach 2017-08-04 08:45:12 EDT
We could be more defensive and check for the existence of setroubleshoot group first:

diff --git a/setroubleshoot.spec b/setroubleshoot.spec
index 98cff01..608df0d 100644
--- a/setroubleshoot.spec
+++ b/setroubleshoot.spec
@@ -124,7 +124,8 @@ about the problem and help track its resolution. Alerts can be configured
 to user preference. The same tools can be run on existing log files.
 %pre server
-getent passwd %{username} >/dev/null || useradd -r -U -s /sbin/nologin -d %{pkgvardatadir} %{username}
+getent group %{username} >/dev/null || groupadd -r %{username}
+getent passwd %{username} >/dev/null || useradd -r -g %{username} -s /sbin/nologin -d %{pkgvardatadir} %{username}
 %post server
 %systemd_post auditd.service
Comment 5 Przemek Klosowski 2017-08-04 10:18:12 EDT
sorry, I don't have a machine with this problem any more. I did check that when the problem was appearing, the group 'setroubleshoot' existed in /etc/group (IIRC group number was 993) but the user 'setroubleshoot' did not appear in /etc/passwd
After I executed my workaround, the group and user were created.

[root@comsolcalc comsol]#  getent passwd setroubleshoot
[root@comsolcalc comsol]# getent group setroubleshoot

This may be related to the fact that we are trying to apply CIS hardening guidelines, which include removing setroubleshoot. Now, the root cause of this may be some RPM packaging issues: I noticed that erasing setroubleshoot does not affect setroubleshoot{-plugins,-server}, so there may be some cleanup issues. We may have removed and reinstalled setroubleshoot while messing with the CIS ansible rules. Please take a look at the pre/postinst scripts: perhaps they mess up group/user creation and/or detection when the package is installed/removed.

Note You need to log in before you can comment on or make changes to this bug.