Description of problem: When nsswitch.conf is configured to use 'db' source for groups, groupadd/groupmod utilities start, for some reason try to touch /usr/tmp, which is a symlink to /var/tmp. This is prevented by selinux with AVC message of this kind: time->Mon May 25 15:55:53 2009 type=SYSCALL msg=audit(1243281353.364:499668): arch=40000003 syscall=195 success=no exit=-13 a0=22e284 a1=bfc2af08 a2=a60ff4 a3=64 items=0 ppid=15361 pid=16261 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="groupmod" exe="/usr/sbin/groupmod" subj=system_u:system_r:groupadd_t:s0 key=(null) type=AVC msg=audit(1243281353.364:499668): avc: denied { read } for pid=16261 comm="groupmod" name="tmp" dev=dm-0 ino=1922 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=lnk_file Version-Release number of selected component (if applicable): selinux-policy-3.6.12-39.fc11.noarch selinux-policy-targeted-3.6.12-39.fc11.noarch How reproducible: When we run some of our tests in RHTS. It doesn't seem to manifest when running a simple groupadd from command line, though. But the contexts seem sane. Steps to Reproduce: 1. run /tools/glibc/Sanity/nss-sanity test with latest rawhide distro Actual results: avc denied Expected results: no avc failures Additional info: This was found when testing tier tests on rawhide-20090525 using rhts.
If you put the machine or domain into permissive mode, do you actually see it trying to write to tmp_t files?
it doesn't seem so - everything groupadd is doing is stat: # groupdel aaa1; strace -e trace=file groupadd aaa1 2>&1 | grep tmp stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 stat("/var/tmp", {st_mode=S_IFDIR|S_ISVTX|0777, st_size=4096, ...}) = 0 (tens of occurences)
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Seems like this is fixed in the current release.