859532 – radvd: permission denied when calling useradd/groupadd during installation

Bug 859532 - radvd: permission denied when calling useradd/groupadd during installation

Summary: radvd: permission denied when calling useradd/groupadd during installation

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-21 18:53 UTC by Richard W.M. Jones
Modified:	2012-09-24 10:35 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-09-24 10:35:39 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	809735	0	unspecified	CLOSED	groupadd run by rpm cannot update /etc/group	2021-02-22 00:41:40 UTC

Internal Links: 809735

Description Richard W.M. Jones 2012-09-21 18:53:26 UTC

Description of problem:

During install of radvd on Rawhide with SELinux Enforcing:

/var/tmp/rpm-tmp.YDgPJ2: line 1: /sbin/groupadd: Permission denied
/var/tmp/rpm-tmp.YDgPJ2: line 3: /sbin/useradd: Permission denied
  Installing : radvd-1.9.1-4.fc19.x86_64                                 64/112 
warning: user radvd does not exist - using root
warning: group radvd does not exist - using root

Version-Release number of selected component (if applicable):

radvd-1.9.1-4.fc19.x86_64

How reproducible:

Happened once.

Comment 1 Petr Pisar 2012-09-24 08:28:49 UTC

What's your selinux-policy version? I believe this is regression in SELinux policy (bug #809735) that has been already reported and seemingly fixed, or some files are mislabeled in your system.

Comment 2 Petr Pisar 2012-09-24 08:43:15 UTC

I cannot reproduce your problem with current selinux-policy-3.11.1-18.fc18.noarch and following labels:

# ls -lZ /etc/group* /etc/gshadow*
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group
-rw-r--r--. root root system_u:object_r:passwd_file_t:s0 /etc/group-
----------. root root system_u:object_r:shadow_t:s0    /etc/gshadow
----------. root root system_u:object_r:shadow_t:s0    /etc/gshadow-

If you still suffer from the problem, you will need to find help from SELinux maintainers by reassigning this report to selinux-policy component.

Comment 3 Richard W.M. Jones 2012-09-24 08:55:16 UTC

My password and group files are labelled the same way.

selinux-policy 3.11.1-7.fc18

(Before and after the update -- selinux-policy was not
updated during this transaction)

More info to follow ..

Comment 4 Richard W.M. Jones 2012-09-24 09:02:26 UTC

Well there was going to be more info, but now this
machine goes into an infinite loop in dracut.  Can't
be booted ...

Note this is Rawhide, not F18.

Comment 5 Petr Pisar 2012-09-24 09:11:06 UTC

I know it's F19. SELinux guys do not build for rawhide thus the policy package has f18 tag. I performed the test on just updated F19.

I'm moving this report to selinux-policy because the radvd package script runs under rpm identity and it's confined by SELinux.

Comment 6 Miroslav Grepl 2012-09-24 09:48:46 UTC

I would need to see outputs of

# semodule -DB
# yum install <whatever_causes_issue>
# ausearch -m avc -ts recent

Comment 7 Richard W.M. Jones 2012-09-24 10:35:39 UTC

Never mind .. after downgrading radvd and upgrading radvd,
the error message is gone.  So I'll say that this has been
fixed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.