Bug 1497081 - rpm failed to add service group - avc: denied { dac_override } for comm="groupadd"
Summary: rpm failed to add service group - avc: denied { dac_override } for comm="g...
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: x86_64
OS: Unspecified
Target Milestone: ---
Assignee: Lukas Vrabec
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2017-09-29 07:14 UTC by Dominic P Geevarghese
Modified: 2018-02-20 11:22 UTC (History)
15 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-02-20 11:22:53 UTC
Type: Bug

Attachments (Terms of Use)
selinux-debug-audit.log (83.85 KB, text/plain)
2017-09-29 08:57 UTC, Dominic P Geevarghese
no flags Details

Description Dominic P Geevarghese 2017-09-29 07:14:05 UTC
Description of problem:

freeipa-server-4.6.1-1.fc28 installation failed on latest Rawhide.

Version-Release number of selected component (if applicable):


Steps to Reproduce:

Install freeipa server

Actual results:

dnf install of freeipa-server package failed with

groupadd: cannot open /etc/gshadow
useradd: group 'kdcproxy' does not exist
groupadd: cannot open /etc/gshadow
useradd: group 'ipaapi' does not exist
id: ‘apache’: no such user
usermod: group 'ipaapi' does not exist
error: %prein(freeipa-server-4.6.1-1.fc28.x86_64) scriptlet failed, exit status 6
error: freeipa-server-4.6.1-1.fc28.x86_64: install failed

Dominic Geevarghese

Comment 1 Alexander Bokovoy 2017-09-29 07:20:38 UTC
There seems to be an issue with groupadd. I don't think a leaf package like freeipa-server is the cause of it, though. It needs to be investigated as part of shadow-utils (groupadd is part of shadow-utils).

Comment 2 Alexander Bokovoy 2017-09-29 07:22:12 UTC
Moving to shadow-utils.

Comment 3 Dominic P Geevarghese 2017-09-29 08:57:32 UTC
Created attachment 1332300 [details]

that's right. I left machine for freeipa installation and when returned, noticed just the last error reported by freeipa.sorry guys. checked again and it turned out 'selinux' is not happy.

type=AVC msg=audit(1506675060.957:227): avc:  denied  { dac_override } for  pid=1114 comm="groupadd" capability=1  scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 tclass=capability permissive=0

attached audit.log for review.

Note You need to log in before you can comment on or make changes to this bug.