Bug 502636 - selinux is preventing groupadd/groupmod to touch /usr/tmp
Summary: selinux is preventing groupadd/groupmod to touch /usr/tmp
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-05-26 15:36 UTC by Petr Muller
Modified: 2016-09-20 02:05 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-08-21 21:27:58 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Petr Muller 2009-05-26 15:36:19 UTC 
Description of problem:
When nsswitch.conf is configured to use 'db' source for groups, groupadd/groupmod utilities start, for some reason try to touch /usr/tmp, which is a symlink to /var/tmp. This is prevented by selinux with AVC message of this kind:

time->Mon May 25 15:55:53 2009
type=SYSCALL msg=audit(1243281353.364:499668): arch=40000003 syscall=195 success=no exit=-13 a0=22e284 a1=bfc2af08 a2=a60ff4 a3=64 items=0 ppid=15361 pid=16261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupmod" exe="/usr/sbin/groupmod" subj=system_u:system_r:groupadd_t:s0 key=(null)
type=AVC msg=audit(1243281353.364:499668): avc:  denied  { read } for  pid=16261 comm="groupmod" name="tmp" dev=dm-0 ino=1922 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file

Version-Release number of selected component (if applicable):
selinux-policy-3.6.12-39.fc11.noarch
selinux-policy-targeted-3.6.12-39.fc11.noarch

How reproducible:
When we run some of our tests in RHTS. It doesn't seem to manifest when running a simple groupadd from command line, though. But the contexts seem sane.

Steps to Reproduce:
1. run /tools/glibc/Sanity/nss-sanity test with latest rawhide distro
  
Actual results:
avc denied

Expected results:
no avc failures

Additional info:
This was found when testing tier tests on rawhide-20090525 using rhts.
Comment 1 Daniel Walsh 2009-05-26 16:36:47 UTC 
If you put the machine or domain into permissive mode, do you actually see it trying to write to tmp_t files?
Comment 2 Petr Muller 2009-05-26 16:59:26 UTC 
it doesn't seem so - everything groupadd is doing is stat:

# groupdel aaa1; strace -e trace=file groupadd aaa1 2>&1 | grep tmp
stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0
(tens of occurences)
Comment 3 Bug Zapper 2009-06-09 16:35:50 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Daniel Walsh 2009-08-21 21:27:58 UTC 
Seems like this is fixed in the current release.
Note You need to log in before you can comment on or make changes to this bug.