The alert is for groupadd, but groupdel does the same. It occurs when I use sudo to install or remove a package that uses those commands. I have not verified if it happens if done without sudo. Summary SELinux is preventing /usr/sbin/groupadd (groupadd_t) "search" to / (home_root_t). Detailed Description SELinux denied access requested by /usr/sbin/groupadd. It is not expected that this access is required by /usr/sbin/groupadd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /, restorecon -v / If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Additional Information Source Context user_u:system_r:groupadd_t Target Context system_u:object_r:home_root_t Target Objects / [ dir ] Affected RPM Packages shadow-utils-4.0.18.1-15.fc7 [application]filesystem-2.4.6-1.fc7 [target] Policy RPM selinux-policy-2.6.4-70.fc7 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.catchall_file Host Name ignacio.ignacio.lan Platform Linux ignacio.ignacio.lan 2.6.23.14-64.fc7 #1 SMP Sun Jan 20 23:54:08 EST 2008 i686 athlon Alert Count 6 First Seen Sat 16 Feb 2008 01:12:05 AM EST Last Seen Sat 16 Feb 2008 01:12:06 AM EST Local ID 197d2875-0baf-4b9f-b60c-24eb848d9198 Line Numbers Raw Audit Messages avc: denied { search } for comm="groupadd" dev=dm-1 egid=0 euid=0 exe="/usr/sbin/groupadd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="/" pid=7355 scontext=user_u:system_r:groupadd_t:s0 sgid=0 subj=user_u:system_r:groupadd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:home_root_t:s0 tty=pts2 uid=0
Send me please name of offending package, I would like to reproduce it. Thank you.
This is happening because you are sitting in the homedir when you execute your update command. When you install a package via RPM, rpm transitions to rpm_t and when it executes groupadd it transition to groupadd_t, the C Library then does a getcwd when the executable starts generating the AVC. If you cd / before running rpm or yum this AVC will not happen. It can safely be ignored.
And it means to create a don't audit rule. Right?
Works for me.
Well you can't really create a dontaudit rule for every possible directory you would run this in. We could add a allow domain file_type:dir getattr; or dontaudit domain file_type:dir getattr and eliminate them that way. I will allow this in rawhide.