Description of problem: These were generated when the cron.daily yum update upgraded ntp, which runs: preinstall scriptlet (using /bin/sh): /usr/sbin/groupadd -g 38 ntp 2> /dev/null || : /usr/sbin/useradd -u 38 -g 38 -s /sbin/nologin -M -r -d /etc/ntp ntp 2>/dev/null || : May 12 04:50:07 cynosure kernel: audit(1147431007.092:29): avc: denied { write } for pid=19274 comm="groupadd" name="[906158]" dev=pipefs ino=906158 scontext=user_u:system_r:groupadd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file May 12 04:50:07 cynosure kernel: audit(1147431007.320:30): avc: denied { write } for pid=19275 comm="useradd" name="[906158]" dev=pipefs ino=906158 scontext=user_u:system_r:useradd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.38-1.fc5 Additional info: We're running NIS: passwd: files nis group: files nis I don't seem to get the message if I run the groupadd command from the shell.
The weird thing here is that cron ran these rpms in unconfined_t instead of rpm_t? How is your yum executable labeled? Dan
Just tested this again, and I still get the message. yum is labeled: -rwxr-xr-x root root system_u:object_r:rpm_exec_t /usr/bin/yum -rwxr-xr-x root root system_u:object_r:useradd_exec_t /usr/sbin/useradd -rwxr-xr-x root root system_u:object_r:groupadd_exec_t /usr/sbin/groupadd crond process: system_u:system_r:crond_t:SystemLow-SystemHigh root 2499 1 0 Jul07 ? 00:00:00 crond isn't it the pipe that unlabeled, not the process (running useradd_t or groupadd_t)?
OK I think I know what the problem is. crond is broken and mistakenly running system jobs as user_crond_t. It is supposed to run them as system_crond_t, which would work better, or at least make sense. The problem is the policy says rpm can talk to that fifo_file but not stuff in the post install scripts. These problems are a pain to fix, since everyone down the line needs to dontaudit the open fifo_file. In FC6 we have added yum-updatesd to better handle what you are trying to do, BTW.
Any chance of this getting fixed in FC5? I've been testing out FC6 and haven't been impressed with yum-updatesd so far.
My intention is to update FC5 to FC6 policy. Problem is I have not been able to test if this causes other problems, because I have been so busy with FC6 and RHEL5 stuff. If you want to test it. http://people.redhat.com/dwalsh/SELinux/FC5
Still see: Jan 23 04:58:33 coop01 kernel: audit(1169553513.928:7): avc: denied { write } for pid=28999 comm="groupadd" name="[9657153]" dev=pipefs ino=9657153 scontext=user_u:system_r:groupadd_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=fifo_file with selinux-policy-2.4.5-4.fc5
All of these bugs should be fixed in FC6, You could attempt to use the FC6 policy on FC5 or upgrade. Or you could use audit2allow -M mypolicy -i /var/log/audit/audit.log and build local customized policy