# rpm -q selinux-policy rpm shadow-utils selinux-policy-3.10.0-104.fc17.noarch rpm-4.9.90-0.git11505.10.fc18.x86_64 shadow-utils-4.1.5-2.fc18.x86_64 # ls -lZ /etc/group* /etc/gshadow* -rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group -rw-------. root root system_u:object_r:passwd_file_t:s0 /etc/group- ----------. root root system_u:object_r:shadow_t:s0 /etc/gshadow -rw-------. root root system_u:object_r:shadow_t:s0 /etc/gshadow- # ls -lZ /usr/bin/rpm /sbin/groupadd -rwxr-x---. root root system_u:object_r:groupadd_exec_t:s0 /sbin/groupadd -rwxr-xr-x. root root system_u:object_r:rpm_exec_t:s0 /usr/bin/rpm Installing `radvd' package that adds radvd group (and user) and owns some files to radvd group (and user) exhibits this problem: secure log: Apr 4 10:30:55 fedora-18 groupadd[1446]: failed to add group radvd to /etc/gshadow Apr 4 10:30:55 fedora-18 groupadd[1446]: failed to add group radvd to /etc/group Apr 4 10:30:55 fedora-18 groupadd[1446]: failed to add group radvd audit log: type=ADD_GROUP msg=audit(1333528255.935:4): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=ADD_GROUP msg=audit(1333528255.936:5): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=ADD_GROUP msg=audit(1333528255.936:6): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' I've relabeled all files on boot because label on /etc/group was wrong to make sure all label are correct.
Does it work in permissive mode?
It works in permissive mode. Also running groupadd under unconfined root in enforcing mode works.
And you see only type=ADD_GROUP messages, right?
Well, the consequent useradd requires group that is supposed to be created by previous groupadd, so if groupadd fails, useradd will fail just because of missing the group. At least I think. I haven't seen different audit message than type=ADD_GROUP. Just try "yum install radvd". It does not start or modify anything else. No special dependencies. The only think you should make sure is no radvd group and user account exists before.
I don't see it on F17. I need to setup Rawhide. What does $ semodule -DB any suspicious AVC?
Good hint: type=AVC msg=audit(1333543954.202:272): avc: denied { read } for pid=4668 comm="groupadd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=AVC msg=audit(1333543954.202:272): avc: denied { read } for pid=4668 comm="groupadd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1333543954.202:272): arch=c000003e syscall=59 success=yes exit=0 a0=2046c00 a1=20466a0 a2=2046430 a3=7fff7e513aa0 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333543954.214:273): avc: denied { search } for pid=4668 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1333543954.214:273): arch=c000003e syscall=2 success=no exit=-13 a0=7f1acde709a0 a1=0 a2=1b6 a3=238 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333543954.215:274): avc: denied { search } for pid=4668 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1333543954.215:274): arch=c000003e syscall=2 success=no exit=-13 a0=7f1acde70930 a1=0 a2=1b6 a3=238 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1333543954.215:275): avc: denied { search } for pid=4668 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1333543954.215:275): arch=c000003e syscall=2 success=no exit=-13 a0=7f1acde70270 a1=0 a2=1b6 a3=238 items=0 ppid=4666 pid=4668 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=ADD_GROUP msg=audit(1333543954.268:276): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=ADD_GROUP msg=audit(1333543954.271:277): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=ADD_GROUP msg=audit(1333543954.271:278): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1333543954.283:279): avc: denied { read } for pid=4670 comm="useradd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=AVC msg=audit(1333543954.283:279): avc: denied { read } for pid=4670 comm="useradd" path="/tmp/tmpTwQ5MV" dev="dm-0" ino=148255 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1333543954.283:279): arch=c000003e syscall=59 success=yes exit=0 a0=2047330 a1=2046f70 a2=2046430 a3=7fff7e513aa0 items=0 ppid=4666 pid=4670 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
There is a wrong context on /etc/group+. It's etc_t but it should be passwd_file_t.
*** Bug 807856 has been marked as a duplicate of this bug. ***
Yeap, a fix is on the way.
Should be fixed in the latest F17 build. # matchpathcon /etc/group+ /etc/group+ system_u:object_r:passwd_file_t:s0
If the the fixing build is * Út dub 03 2012 Miroslav Grepl <mgrepl> 3.10.0-110 - /var/run/postmaster.* labeling is no longer needed - Alllow drbdadmin to read /dev/urandom - l2tpd_t seems to use ptmx - group+ and passwd+ should be labeled as /etc/passwd - Zarafa-indexer is a socket then it does not fix the rpm-cannot-create-group in F18 (after relabeling): type=AVC msg=audit(1334133569.291:8): avc: denied { read } for pid=804 comm="groupadd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=AVC msg=audit(1334133569.291:8): avc: denied { read } for pid=804 comm="groupadd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1334133569.291:8): arch=c000003e syscall=59 success=yes exit=0 a0=17dcbc0 a1=17dd780 a2=17dc430 a3=7fff1fa37d40 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1334133569.331:9): avc: denied { search } for pid=804 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1334133569.331:9): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a83b9da30 a1=0 a2=1b6 a3=238 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1334133569.331:10): avc: denied { search } for pid=804 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1334133569.331:10): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a83b9d9c0 a1=0 a2=1b6 a3=238 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1334133569.331:11): avc: denied { search } for pid=804 comm="groupadd" name="contexts" dev="dm-0" ino=145897 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=SYSCALL msg=audit(1334133569.331:11): arch=c000003e syscall=2 success=no exit=-13 a0=7f3a83b9ce00 a1=0 a2=1b6 a3=238 items=0 ppid=802 pid=804 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 key=(null) type=ADD_GROUP msg=audit(1334133569.369:12): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/gshadow acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=ADD_GROUP msg=audit(1334133569.371:13): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op=adding group to /etc/group acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=ADD_GROUP msg=audit(1334133569.371:14): pid=0 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 msg='op= acct="radvd" exe="/usr/sbin/groupadd" hostname=? addr=? terminal=? res=failed' type=AVC msg=audit(1334133569.379:15): avc: denied { read } for pid=806 comm="useradd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=AVC msg=audit(1334133569.379:15): avc: denied { read } for pid=806 comm="useradd" path="/tmp/tmpjBpHix" dev="dm-0" ino=137263 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=SYSCALL msg=audit(1334133569.379:15): arch=c000003e syscall=59 success=yes exit=0 a0=17df980 a1=17dc7f0 a2=17dc430 a3=7fff1fa37d40 items=0 ppid=802 pid=806 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) I can see two problems: (1) groupadd cannot access temporary files created by rpm (2) groupadd searches unlabeled directories: inode 145897 is /etc/selinux/targeted/contexts
I see these rules in rpm -q selinux-policy selinux-policy-3.10.0-112.fc17.noarch audit2allow -i /tmp/t WARNING: Policy would be downgraded from version 27 to 26. #============= groupadd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow groupadd_t default_context_t:dir search; #!!!! This avc has a dontaudit rule in the current policy allow groupadd_t rpm_tmp_t:file read; #============= useradd_t ============== #!!!! This avc has a dontaudit rule in the current policy allow useradd_t rpm_tmp_t:file read;
So is was not fixed in the `the latest F17 build' at the time of writing that comment. And even it's still not fixed in F18, because selinux-policy-3.10.0-112.fc17.noarch has not been inherited to F18 yet because the build is still in f17-updates-candidate only. I would appreciate if you started to fill `Fixed In Version' and to close bug reports after the build gets into repository (or build-root in case of rawhide). E.g. by building updates for F18 too.
We are going to start work on F18. Yes, I missed a version which we add to comments. selinux-policy-3.10.0-113.fc16 has been submitted as an update, but I am going to edit it with selinux-policy-3.10.0-114.fc16 later today.
Unfortunately I still get the same errors even with selinux-policy-3.10.0-114.fc17.noarch.
What does $ matchpathcon /etc/group+
# matchpathcon /etc/group+ /etc/group+ system_u:object_r:passwd_file_t:s0
It works with selinux-policy-3.10.0-125.fc17.noarch for me now. Seems fixed.