abrt version: 2.0.5 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-0.rc4.git0.0.fc16.x86_64 reason: SELinux is preventing /usr/sbin/useradd from read, write access on the file lastlog. time: Fri Sep 9 18:03:38 2011 description: :SELinux is preventing /usr/sbin/useradd from read, write access on the file lastlog. : :***** Plugin catchall (100. confidence) suggests *************************** : :If you believe that useradd should be allowed read write access on the lastlog file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep useradd /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 :Target Context unconfined_u:object_r:var_log_t:s0 :Target Objects lastlog [ file ] :Source useradd :Source Path /usr/sbin/useradd :Port <Unknown> :Host (removed) :Source RPM Packages shadow-utils-4.1.4.3-7.fc16 :Target RPM Packages :Policy RPM selinux-policy-3.10.0-25.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Permissive :Host Name (removed) :Platform Linux (removed) 3.1.0-0.rc4.git0.0.fc16.x86_64 #1 SMP : Tue Aug 30 00:00:26 UTC 2011 x86_64 x86_64 :Alert Count 5 :First Seen Fri 09 Sep 2011 01:41:52 PM CEST :Last Seen Fri 09 Sep 2011 03:17:08 PM CEST :Local ID f3be6369-3044-409c-8375-02b097bd694d : :Raw Audit Messages :type=AVC msg=audit(1315574228.933:265): avc: denied { read write } for pid=14692 comm="useradd" name="lastlog" dev=loop0 ino=1571 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file : : :type=AVC msg=audit(1315574228.933:265): avc: denied { open } for pid=14692 comm="useradd" name="lastlog" dev=loop0 ino=1571 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file : : :type=SYSCALL msg=audit(1315574228.933:265): arch=x86_64 syscall=open success=yes exit=EBADF a0=40e8fd a1=2 a2=2 a3=0 items=0 ppid=14686 pid=14692 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) : :Hash: useradd,useradd_t,var_log_t,file,read,write : :audit2allow : :#============= useradd_t ============== :#!!!! The source type 'useradd_t' can write to a 'file' of the following types: :# httpd_user_script_exec_type, security_t, puppet_tmp_t, faillog_t, user_home_type, lastlog_t, initrc_var_run_t, pcscd_var_run_t, httpd_user_content_type, mail_spool_t, shadow_t, etc_t : :allow useradd_t var_log_t:file { read write open }; : :audit2allow -R : :#============= useradd_t ============== :#!!!! The source type 'useradd_t' can write to a 'file' of the following types: :# httpd_user_script_exec_type, security_t, puppet_tmp_t, faillog_t, user_home_type, lastlog_t, initrc_var_run_t, pcscd_var_run_t, httpd_user_content_type, mail_spool_t, shadow_t, etc_t : :allow useradd_t var_log_t:file { read write open }; :
/var/log/lastlog is mislabeled. Not sure how you got this mislabeling. restorecon -R -v /var/log/lastlog will fix this problem. Please reopen the bug if this happens again.
This system has been relabeled recently and I haven't changed any file labels manually. I am sure this wrong labelling has been set by previous package updates. Ok, others will report it too if it is a "real" problem, and it doesn't matter much anyway if it only has been caused by intermediate pre-release policies.
It could be caused by badly installed update. What does # matchpathcon /var/log/lastlog
It shows system_u:object_r:lastlog_t:s0 as expected. I have also relabeled the system and thus removed the last traces of evidence :-(