Description of problem: Summary: SELinux prevented groupadd from reading files stored on a NFS filesytem. Detailed Description: SELinux prevented groupadd from reading files stored on a NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux systems. groupadd attempted to read one or more files or directories from a mounted filesystem of this type. As NFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured groupadd to read files from a NFS filesystem this access attempt could signal an intrusion attempt. Allowing Access: Changing the "use_nfs_home_dirs" boolean to true will allow this access: "setsebool -P use_nfs_home_dirs=1" Fix Command: setsebool -P use_nfs_home_dirs=1 Additional Information: Source Context unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 Target Context system_u:object_r:nfs_t:s0 Target Objects ./ [ dir ] Source groupadd Source Path /usr/sbin/groupadd Port <Unknown> Host segfault.boston.devel.redhat.com Source RPM Packages shadow-utils-4.1.1-2.fc9 Target RPM Packages filesystem-2.4.13-1.fc9 Policy RPM selinux-policy-3.3.1-64.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name use_nfs_home_dirs Host Name segfault.boston.devel.redhat.com Platform Linux segfault.boston.devel.redhat.com 2.6.25.6-55.fc9.x86_64 #1 SMP Tue Jun 10 16:05:21 EDT 2008 x86_64 x86_64 Alert Count 2 First Seen Wed 25 Jun 2008 12:12:40 PM EDT Last Seen Wed 25 Jun 2008 12:12:40 PM EDT Local ID 85ac57ac-7a6b-4cf6-b13d-8a598be77f0c Line Numbers Raw Audit Messages host=segfault.boston.devel.redhat.com type=AVC msg=audit(1214410360.511:381): avc: denied { search } for pid=21579 comm="groupadd" name="" dev=0:18 ino=15375843 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir host=segfault.boston.devel.redhat.com type=SYSCALL msg=audit(1214410360.511:381): arch=c000003e syscall=2 success=no exit=-13 a0=956730 a1=0 a2=1b6 a3=7ff9e556a780 items=0 ppid=21578 pid=21579 auid=3734 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=9 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) How reproducible: Steps to Reproduce: 1. yum install mock while having an NFS-mounted directory (in my case, my homedir).
You can allow this for now. # audit2allow -M mypol -l -i /var/log/audit/audit.log # semodule -i mypol.pp Fixed in selinux-policy-3.3.1-72.fc9.noarch
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.