Description of problem: I performed a fresh install of FC5 with sendmail. After logging in I wanted to replace sendmail with postfix so I ran yum install postfix and received these warnings during the install: warning: group postdrop does not exist - using root warning: group postdrop does not exist - using root warning: user postfix does not exist - using root and etc. a yum install mock did the same thing. Looking in /var/log/audit.log I see this: type=AVC msg=audit(1143051113.887:626): avc: denied { read write } for pid=13269 comm="useradd" name="lastlog" dev=dm-2 ino=62883 scontext=user_u:system_r:useradd_t:s0-s0:c0.c255 tcontext=system_u:object_r:var_log_t:s0 tclass=file type=SYSCALL msg=audit(1143051113.887:626): arch=40000003 syscall=5 success=no exit=-13 a0=80547f9 a1=8002 a2=0 a3=8002 items=1 pid=13269 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd" exe="/usr/sbin/useradd" Version-Release number of selected component (if applicable): selinux-policy-targetted-2.2.23-15 kernel-smp-2.6.15-1.2054_FC5.i686 postfix-2.2.8-1.2 shadow-utils-2.2.8-1.2 How reproducible: Also happened when I installed mock. So on my setup it seems to be whenever I I install an rpm that calls useradd in its post script. Steps to Reproduce: 1. Install FC5 -- set selinux to targetted. Do not install postfix. 2. Login to the new system. 3. yum install postfix Actual results: See errors about non-existent users and groups. Check the logs for useradd AVC denied messages. Expected results: postfix installed with the postfix user. postdrop group for some helpers. Additional info:
Update -- This was done through the yum shell. A new test shows that yum on the commandline works but yum shell is repeatablly invalid: # yum erase postfix # yum shell [...] Setting up Yum Shell > install postfix [...] > ts run [...] Installing: postfix i386 2:2.2.8-1.2 core 3.4 M [...] Installing: postfix ######################## [1/1]warning: user postfix does not exist - using root [...] > exit # rpm -V postfix .M....G.. /usr/sbin/postdrop .M....G.. /usr/sbin/postqueue .....U... /var/spool/postfix/active .....U... /var/spool/postfix/bounce .....U... /var/spool/postfix/corrupt .....U... /var/spool/postfix/defer .....U... /var/spool/postfix/deferred .....U... /var/spool/postfix/flush .....U... /var/spool/postfix/hold .....U... /var/spool/postfix/incoming .....UG.. /var/spool/postfix/maildrop .....U... /var/spool/postfix/private .....UG.. /var/spool/postfix/public .....U... /var/spool/postfix/saved .....U... /var/spool/postfix/trace # yum erase postfix # yum install postfix # rpm -V postfix .M....... /etc/postfix/TLS_LICENSE # So something about how yum operates from its builtin shell is not addressed in the policy definition.
For complete accuracy this occurs in the %pre install scripts rather than the %post install.
Fixed in 2.2.25-2.fc5