Description of problem: $ sudo dnf install /usr/lib/libbrlapi.so.0.6 Last metadata expiration check: 1:09:12 ago on Fri 29 Sep 2017 02:20:59 EDT. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: brlapi armv7hl 0.6.6-9.fc28 rawhide 150 k Transaction Summary ================================================================================ Install 1 Package Total download size: 150 k Installed size: 416 k Is this ok [y/N]: y Downloading Packages: brlapi-0.6.6-9.fc28.armv7hl.rpm 3.2 MB/s | 150 kB 00:00 -------------------------------------------------------------------------------- Total 134 kB/s | 150 kB 00:01 warning: /var/cache/dnf/rawhide-805c449d99b9520f/packages/brlapi-0.6.6-9.fc28.armv7hl.rpm: Header V3 RSA/SHA256 Signature, key ID 9db62fb1: NOKEY Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: brlapi-0.6.6-9.fc28.armv7hl 1/1 groupadd: cannot open /etc/gshadow error: %prein(brlapi-0.6.6-9.fc28.armv7hl) scriptlet failed, exit status 10 Error in PREIN scriptlet in rpm package brlapi Error in PREIN scriptlet in rpm package brlapi brlapi-0.6.6-9.fc28.armv7hl was supposed to be installed but is not! Verifying : brlapi-0.6.6-9.fc28.armv7hl 1/1 Failed: brlapi.armv7hl 0.6.6-9.fc28 Error: Transaction failed
$ ll /etc/gshadow ----------. 1 root root 443 Sep 28 17:22 /etc/gshadow
I had to set gshadow to 0666 (!) to install this package. Even 0600 didn't work.
%pre -n brlapi getent group brlapi >/dev/null || groupadd -r brlapi >/dev/null Sounds like a bug in setup.
No, definitely not a bug in setup - gshadow is handled through capabilities intentionally. Let's reassign that to shadow-utils - where utilities for adding groups and users live - but gshadow will stay as 000 , 666 is just number of devil and wrong for /etc/shadow and /etc/gshadow.
This is fallout from the no dac_override policy change.
Tomas is right. Fixes will be available in next selinux-policy rawhide build.