Bug 186294 - useradd through yum from rpm postinstall
Summary: useradd through yum from rpm postinstall
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Russell Coker
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-03-22 19:08 UTC by Toshio Kuratomi
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: 2.2.25-2.fc5
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-04-03 16:31:03 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Toshio Kuratomi 2006-03-22 19:08:45 UTC 
Description of problem:
I performed a fresh install of FC5 with sendmail.  After logging in I wanted to
replace sendmail with postfix so I ran yum install postfix and received these
warnings during the install:

warning: group postdrop does not exist - using root
warning: group postdrop does not exist - using root
warning: user postfix does not exist - using root

and etc.

a yum install mock did the same thing.

Looking in /var/log/audit.log I see this:

type=AVC msg=audit(1143051113.887:626): avc: denied { read write } for pid=13269
comm="useradd" name="lastlog" dev=dm-2 ino=62883
scontext=user_u:system_r:useradd_t:s0-s0:c0.c255
tcontext=system_u:object_r:var_log_t:s0 tclass=file
type=SYSCALL msg=audit(1143051113.887:626): arch=40000003 syscall=5 success=no
exit=-13 a0=80547f9 a1=8002 a2=0 a3=8002 items=1 pid=13269 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="useradd"
exe="/usr/sbin/useradd"

Version-Release number of selected component (if applicable):
selinux-policy-targetted-2.2.23-15
kernel-smp-2.6.15-1.2054_FC5.i686
postfix-2.2.8-1.2
shadow-utils-2.2.8-1.2


How reproducible:
Also happened when I installed mock.  So on my setup it seems to be whenever I I
install an rpm that calls useradd in its post script.

Steps to Reproduce:
1. Install FC5 -- set selinux to targetted.  Do not install postfix.
2. Login to the new system.
3. yum install postfix
  
Actual results:
See errors about non-existent users and groups.  Check the logs for useradd AVC
denied messages.

Expected results:
postfix installed with the postfix user. postdrop group for some helpers.

Additional info:
Comment 1 Toshio Kuratomi 2006-03-22 20:14:10 UTC 
Update -- This was done through the yum shell.  A new test shows that yum on the
commandline works but yum shell is repeatablly invalid:

# yum erase postfix
# yum shell
[...]
Setting up Yum Shell
> install postfix
[...]
> ts run
[...]
Installing:
 postfix                 i386       2:2.2.8-1.2      core              3.4 M
[...]
  Installing: postfix                      ######################## 
[1/1]warning: user postfix does not exist - using root
[...]
> exit
# rpm -V postfix
.M....G..   /usr/sbin/postdrop
.M....G..   /usr/sbin/postqueue
.....U...   /var/spool/postfix/active
.....U...   /var/spool/postfix/bounce
.....U...   /var/spool/postfix/corrupt
.....U...   /var/spool/postfix/defer
.....U...   /var/spool/postfix/deferred
.....U...   /var/spool/postfix/flush
.....U...   /var/spool/postfix/hold
.....U...   /var/spool/postfix/incoming
.....UG..   /var/spool/postfix/maildrop
.....U...   /var/spool/postfix/private
.....UG..   /var/spool/postfix/public
.....U...   /var/spool/postfix/saved
.....U...   /var/spool/postfix/trace
# yum erase postfix
# yum install postfix
# rpm -V postfix
.M.......   /etc/postfix/TLS_LICENSE
#
So something about how yum operates from its builtin shell is not addressed in
the policy definition.
Comment 2 Toshio Kuratomi 2006-03-23 17:13:04 UTC 
For complete accuracy this occurs in the %pre install scripts rather than the
%post install.
Comment 3 Daniel Walsh 2006-04-03 16:31:03 UTC 
Fixed in 2.2.25-2.fc5
Note You need to log in before you can comment on or make changes to this bug.