I think especially for "standard", general purpose users and groups, having the useradd/groupadd sprinkled in several packages' %post scripts could be a problem - packages may end up creating them differently: different home dirs, initial groups, system or not etc unless there's continuous effort in keeping them strictly in sync.  A central "always installed" package for these additions would not have this problem.  Maybe fedora-release (although it doesn't strictly speaking seem to satisfy the "always installed" criterion)?

That %post section was added due to request of Harald Hoyer - he requested general group audio and video, created by default - as is done in other Linux distributions. I added those groups into /etc/group shipped by setup, but it will not add those groups for updates (just .rpmnew created). Easiest solution was to add post section to setup, which will create user if not detected in /etc/group ...There will be NO /etc/passwd.rpmnew or /etc/group.rpmnew for future upgrades, as those groupadds are only for the case of upgrades from the state where those groups were not present(no .rpmnew files for clean installation). what's wrong on that approach? Do you have other idea how to add system default group audio/video via setup update? Adding those groupadds to udev and possibly all other packages which would depend on those groups in future seems a bit silly to me as it affects just existing rawhide and updates to rawhide - not installation of latest rawhide packages.

> There will be NO /etc/passwd.rpmnew or /etc/group.rpmnew for future upgrades, 
> as those groupadds are only for the case of upgrades from the state where 
> those groups were not present(no .rpmnew files for clean installation). 
> what's wrong on that approach?

What's wrong is that setup depending on /bin/sh comptelely breaks the installation ordering by causing an unresolvable dependency loop in the delicate early-installation package set. Which in turn "breaks the world", quite literally.

Setup package can only use -p <lua> scriptlets as that doesn't introduce external dependencies. And even then, you need to be very very careful not to introduce extra dependencies in the the scriptlet itself. Something like:

%post -p <lua>
if arg[2] > 1 and posix.access("/usr/sbin/groupadd", "x") then
   os.execute("/usr/sbin/groupadd -g 39 video")
   os.execute("/usr/sbin/groupadd -g 63 audio")
end

Only doing the groupadds if the groups dont already exist is left as an exercise to the reader if you think going this route is really worth the trouble.

Thanks for hints and detailed explanation, Panu... 
Will change the post scriptlet to use lua language instead of default /bin/sh, it is anyway just temporary solution to prevent missing groups after upgrade from lower Fedora's and will be removed after F10 EOL.

Just to be clear, the above example is nowhere near fully safe either, the four lines are full of hidden assumptions. The example is only safe as far as
1) it doesn't add external dependencies to setup 
2) the groupadd is only attempted on upgrades

On upgrade, it's reasonably likely that shell (which os.execute() actually uses), groupadd and their dependencies are in working shape, but it's just an assumption that nothing *guarantees*.

In other words, it's simplest to have the groupadd scripts in the %post of the package that's actually going to use those groups. I.e., udev. In that case, you don't even need to change the shipped /etc/group.

Temporarily changed post scriptlet to lua language (Panu's example from comment #3 looks ok for me - at least as a temporary "rawhide" solution). 

Harald: are you ok with adding something like:

#to be removed after F10 EOL (and for RHEL-6)
if [ `grep -c video /etc/group` -eq 0 ] ; then
   groupadd -g 39 video
fi
if [ `grep -c audio /etc/group` -eq 0 ] ; then
   groupadd -g 63 audio
fi

to udev post scriptlet? At the moment udev is afaik the only package expecting video/audio group installed(#476886,#458843), those groups will be created by default by setup in clean installation of rawhide/F11 - but for setup updates it is necessary to have that post scriptlet somewhere. Setup is the best place for it, but having it temporarily in all packages which expect video/audio group (at the moment only udev) is less dangerous...

FWIW, the vdr package uses the video group as well, and has always created it itself.  I plan to drop the creation from it when it is done in the base distro level.

hmm, ok, then udev it will be..

setup-2.7.7-3.fc11.noarch has post script:

postinstall scriptlet (using <lua>):
if arg[2] > 1 and posix.access("/usr/sbin/groupadd", "x") then
   os.execute("/usr/sbin/groupadd -g 39 video &>/dev/null")
   os.execute("/usr/sbin/groupadd -g 63 audio &>/dev/null")
end

This triggers SELinux AVCs (and failure) for the groupadd:

[root@tlondon ~]# audit2allow -al


#============= groupadd_t ==============
allow groupadd_t rpm_t:unix_dgram_socket { read write };
allow groupadd_t rpm_var_lib_t:file { read write };
allow groupadd_t var_t:file read;
[root@tlondon ~]# 

Raw AVCs:

type=AVC msg=audit(1233328256.712:31): avc:  denied  { read write } for  pid=4892 comm="groupadd" path="socket:[65408]" dev=sockfs ino=65408 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1233328256.712:31): avc:  denied  { read } for  pid=4892 comm="groupadd" path="/var/cache/yum/11koji32/packages/setup-2.7.7-3.fc11.noarch.rpm" dev=dm-1 ino=2555911 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1233328256.712:31): avc:  denied  { read write } for  pid=4892 comm="groupadd" path="/var/lib/rpm/__db.000" dev=dm-1 ino=66684 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1233328256.712:31): arch=c000003e syscall=59 success=yes exit=0 a0=1b2a9a0 a1=1b2aa60 a2=1b290f0 a3=7fffee0481f0 items=0 ppid=4891 pid=4892 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=ADD_GROUP msg=audit(1233328257.006:32): user pid=4892 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="video" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=failed)'
type=AVC msg=audit(1233328257.052:33): avc:  denied  { read write } for  pid=4894 comm="groupadd" path="socket:[65408]" dev=sockfs ino=65408 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:rpm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket
type=AVC msg=audit(1233328257.052:33): avc:  denied  { read } for  pid=4894 comm="groupadd" path="/var/cache/yum/11koji32/packages/setup-2.7.7-3.fc11.noarch.rpm" dev=dm-1 ino=2555911 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_t:s0 tclass=file
type=AVC msg=audit(1233328257.052:33): avc:  denied  { read write } for  pid=4894 comm="groupadd" path="/var/lib/rpm/__db.000" dev=dm-1 ino=66684 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_var_lib_t:s0 tclass=file
type=SYSCALL msg=audit(1233328257.052:33): arch=c000003e syscall=59 success=yes exit=0 a0=1f709a0 a1=1f70a60 a2=1f6f0f0 a3=7ffffe37e2a0 items=0 ppid=4893 pid=4894 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=ADD_GROUP msg=audit(1233328257.061:34): user pid=4894 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group acct="audio" exe="/usr/sbin/groupadd" (hostname=?, addr=?, terminal=pts/0 res=failed)'


Can this scriplet be dropped as it appears to have been added to udev?

As vdr and udev do create temporarily those groups now, I dropped that scriptlet in setup-2.7.7-4.fc11. Closing RAWHIDE.