809735 – groupadd run by rpm cannot update /etc/group

Bug 809735 - groupadd run by rpm cannot update /etc/group

Summary: groupadd run by rpm cannot update /etc/group

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	807856 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-04 08:47 UTC by Petr Pisar
Modified:	2012-09-24 08:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-04-11 19:45:46 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	859532	0	unspecified	CLOSED	radvd: permission denied when calling useradd/groupadd during installation	2021-02-22 00:41:40 UTC

Internal Links: 859532

Description Petr Pisar 2012-04-04 08:47:34 UTC

# rpm -q selinux-policy rpm shadow-utils
selinux-policy-3.10.0-104.fc17.noarch
rpm-4.9.90-0.git11505.10.fc18.x86_64
shadow-utils-4.1.5-2.fc18.x86_64

# ls -lZ /etc/group* /etc/gshadow*
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
-rw-------. root root system_u:object_r:passwd_file_t:s0 /etc/group-
----------. root root system_u:object_r:shadow_t:s0    /etc/gshadow
-rw-------. root root system_u:object_r:shadow_t:s0    /etc/gshadow-

# ls -lZ /usr/bin/rpm /sbin/groupadd 
-rwxr-x---. root root system_u:object_r:groupadd_exec_t:s0 /sbin/groupadd
-rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0  /usr/bin/rpm

Installing `radvd' package that adds radvd group (and user) and owns some files to radvd group (and user) exhibits this problem: 

secure log:

Apr  4 10:30:55 fedora-18 groupadd[1446]: failed to add group radvd to /etc/gshadow
Apr  4 10:30:55 fedora-18 groupadd[1446]: failed to add group radvd to /etc/group
Apr  4 10:30:55 fedora-18 groupadd[1446]: failed to add group radvd

audit log:

type=ADD_GROUP msg=audit(1333528255.935:4): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1333528255.936:5): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1333528255.936:6): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'

I've relabeled all files on boot because label on /etc/group was wrong to make sure all label are correct.

Comment 1 Miroslav Grepl 2012-04-04 09:24:12 UTC

Does it work in permissive mode?

Comment 2 Petr Pisar 2012-04-04 09:44:38 UTC

It works in permissive mode. Also running groupadd under unconfined root in enforcing mode works.

Comment 3 Miroslav Grepl 2012-04-04 10:48:30 UTC

And you see only

type=ADD_GROUP

messages, right?

Comment 4 Petr Pisar 2012-04-04 11:12:29 UTC

Well, the consequent useradd requires group that is supposed to be created by previous groupadd, so if groupadd fails, useradd will fail just because of missing the group. At least I think. I haven't seen different audit message than type=ADD_GROUP.

Just try "yum install radvd". It does not start or modify anything else. No special dependencies. The only think you should make sure is no radvd group and user account exists before.

Comment 5 Miroslav Grepl 2012-04-04 12:33:16 UTC

I don't see it on F17. I need to setup Rawhide.

What does

$ semodule -DB

any suspicious AVC?

Comment 6 Petr Pisar 2012-04-04 12:54:04 UTC

Good hint:

type=AVC msg=audit(1333543954.202:272): avc:  denied  { read } for  pid=4668 comm="groupadd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1333543954.202:272): avc:  denied  { read } for  pid=4668 comm="groupadd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1333543954.202:272): arch=c000003e syscall=59 success=yes exit=0 a0=2046c00 a1=20466a0 a2=2046430 a3=7fff7e513aa0 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333543954.214:273): avc:  denied  { search } for  pid=4668 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1333543954.214:273): arch=c000003e syscall=2 success=no exit=-13 a0=7f1acde709a0 a1=0 a2=1b6 a3=238 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333543954.215:274): avc:  denied  { search } for  pid=4668 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1333543954.215:274): arch=c000003e syscall=2 success=no exit=-13 a0=7f1acde70930 a1=0 a2=1b6 a3=238 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1333543954.215:275): avc:  denied  { search } for  pid=4668 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1333543954.215:275): arch=c000003e syscall=2 success=no exit=-13 a0=7f1acde70270 a1=0 a2=1b6 a3=238 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=ADD_GROUP msg=audit(1333543954.268:276): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1333543954.271:277): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1333543954.271:278): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1333543954.283:279): avc:  denied  { read } for  pid=4670 comm="useradd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1333543954.283:279): avc:  denied  { read } for  pid=4670 comm="useradd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1333543954.283:279): arch=c000003e syscall=59 success=yes exit=0 a0=2047330 a1=2046f70 a2=2046430 a3=7fff7e513aa0 items=0 ppid=4666 pid=4670 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

Comment 7 Peter Vrabec 2012-04-04 15:39:37 UTC

There is a wrong context on /etc/group+. It's etc_t but it should be passwd_file_t.

Comment 8 Peter Vrabec 2012-04-04 15:43:58 UTC

*** Bug 807856 has been marked as a duplicate of this bug. ***

Comment 9 Miroslav Grepl 2012-04-04 15:44:51 UTC

Yeap, a fix is on the way.

Comment 10 Miroslav Grepl 2012-04-05 12:08:56 UTC

Should be fixed in the latest F17 build.

# matchpathcon /etc/group+
/etc/group+	system_u:object_r:passwd_file_t:s0

Comment 11 Petr Pisar 2012-04-11 11:19:47 UTC

If the the fixing build is 

* Út dub 03 2012 Miroslav Grepl <mgrepl> 3.10.0-110
- /var/run/postmaster.* labeling is no longer needed
- Alllow drbdadmin to read /dev/urandom
- l2tpd_t seems to use ptmx
- group+ and passwd+ should be labeled as /etc/passwd
- Zarafa-indexer is a socket

then it does not fix the rpm-cannot-create-group in F18 (after relabeling):

type=AVC msg=audit(1334133569.291:8): avc:  denied  { read } for  pid=804 comm="groupadd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1334133569.291:8): avc:  denied  { read } for  pid=804 comm="groupadd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1334133569.291:8): arch=c000003e syscall=59 success=yes exit=0 a0=17dcbc0 a1=17dd780 a2=17dc430 a3=7fff1fa37d40 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334133569.331:9): avc:  denied  { search } for  pid=804 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1334133569.331:9): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a83b9da30 a1=0 a2=1b6 a3=238 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334133569.331:10): avc:  denied  { search } for  pid=804 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1334133569.331:10): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a83b9d9c0 a1=0 a2=1b6 a3=238 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1334133569.331:11): avc:  denied  { search } for  pid=804 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1334133569.331:11): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a83b9ce00 a1=0 a2=1b6 a3=238 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null)
type=ADD_GROUP msg=audit(1334133569.369:12): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1334133569.371:13): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=ADD_GROUP msg=audit(1334133569.371:14): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed'
type=AVC msg=audit(1334133569.379:15): avc:  denied  { read } for  pid=806 comm="useradd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1334133569.379:15): avc:  denied  { read } for  pid=806 comm="useradd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=SYSCALL msg=audit(1334133569.379:15): arch=c000003e syscall=59 success=yes exit=0 a0=17df980 a1=17dc7f0 a2=17dc430 a3=7fff1fa37d40 items=0 ppid=802 pid=806 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)

I can see two problems:

(1) groupadd cannot access temporary files created by rpm

(2) groupadd searches unlabeled directories:
  inode 145897 is /etc/selinux/targeted/contexts

Comment 12 Daniel Walsh 2012-04-11 19:45:46 UTC

I see these rules in 

 rpm -q selinux-policy
selinux-policy-3.10.0-112.fc17.noarch

 audit2allow  -i /tmp/t
WARNING: Policy would be downgraded from version 27 to 26.


#============= groupadd_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow groupadd_t default_context_t:dir search;
#!!!! This avc has a dontaudit rule in the current policy

allow groupadd_t rpm_tmp_t:file read;

#============= useradd_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow useradd_t rpm_tmp_t:file read;

Comment 13 Petr Pisar 2012-04-12 09:25:50 UTC

So is was not fixed in the `the latest F17 build' at the time of writing that comment. And even it's still not fixed in F18, because selinux-policy-3.10.0-112.fc17.noarch has not been inherited to F18 yet because the build is still in f17-updates-candidate only.

I would appreciate if you started to fill `Fixed In Version' and to close bug reports after the build gets into repository (or build-root in case of rawhide). E.g. by building updates for F18 too.

Comment 14 Miroslav Grepl 2012-04-12 10:43:48 UTC

We are going to start work on F18. Yes, I missed a version which we add to comments. 

selinux-policy-3.10.0-113.fc16 has been submitted as an update, but I am going to edit it with selinux-policy-3.10.0-114.fc16 later today.

Comment 15 Petr Pisar 2012-04-13 13:00:14 UTC

Unfortunately I still get the same errors even with selinux-policy-3.10.0-114.fc17.noarch.

Comment 16 Miroslav Grepl 2012-04-13 13:11:05 UTC

What does

$ matchpathcon /etc/group+

Comment 17 Petr Pisar 2012-04-13 13:18:23 UTC

# matchpathcon /etc/group+
/etc/group+     system_u:object_r:passwd_file_t:s0

Comment 18 Petr Pisar 2012-05-23 08:23:25 UTC

It works with selinux-policy-3.10.0-125.fc17.noarch for me now. Seems fixed.

Note You need to log in before you can comment on or make changes to this bug.