This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 863832 - selinux policy prevents rpm from creating directory in /var/lib/
selinux policy prevents rpm from creating directory in /var/lib/
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: systemtap (Show other bugs)
18
Unspecified Linux
unspecified Severity unspecified
: ---
: ---
Assigned To: Frank Ch. Eigler
Fedora Extras Quality Assurance
:
Depends On: 798036 853456
Blocks: 828606
  Show dependency treegraph
 
Reported: 2012-10-07 15:20 EDT by Frank Ch. Eigler
Modified: 2013-09-27 09:37 EDT (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 853456
Environment:
Last Closed: 2013-09-27 09:37:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Frank Ch. Eigler 2012-10-07 15:20:18 EDT
+++ This bug was initially created as a clone of Bug #853456 +++

+++ This bug was initially created as a clone of Bug #798036 +++
[...]

When trying to install systemtap-server-1.7-2.fc16.x86_64 on 
Fedora 16, selinux prevents the rpm from creating 
/var/lib/stap-server/ as the home directory when running
useradd. 


Version-Release number of selected component (if applicable):

# rpm -qa kernel selinux-policy-targeted
kernel-3.6.0-3.fc18.x86_64
selinux-policy-targeted-3.11.1-32.fc18.noarch

# yum reinstall systemtap-devel systemtap-server
Running Transaction
  Installing : systemtap-devel-2.0-0.4.gitec12f84.fc18.x86_64        1/2 
useradd: cannot create directory /var/lib/stap-server
  Installing : systemtap-server-2.0-0.4.gitec12f84.fc18.x86_64       2/2 
warning: user stap-server does not exist - using root
runuser: user stap-server does not exist
  Verifying  : systemtap-server-2.0-0.4.gitec12f84.fc18.x86_64       1/2 


# tail /var/log/audit/audit.log
type=ADD_USER msg=audit(1349637511.438:463): pid=8061 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1349637511.456:464): avc:  denied  { write } for  pid=8061 comm="useradd" name="lib" dev="sda3" ino=1048579 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1349637511.456:464): arch=c000003e syscall=83 success=no exit=-13 a0=7fff63e2a8f2 a1=0 a2=2b72cae6e758 a3=6165726373662f72 items=0 ppid=8058 pid=8061 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1349637511.457:465): pid=8061 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1349637511.457:466): pid=8061 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1349637511.523:467): pid=8062 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=499 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1349637511.547:468): avc:  denied  { write } for  pid=8062 comm="useradd" name="lib" dev="sda3" ino=1048579 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1349637511.547:468): arch=c000003e syscall=83 success=no exit=-13 a0=7fff35f938f2 a1=0 a2=2aba3dee3758 a3=6165726373662f72 items=0 ppid=8058 pid=8062 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1349637511.547:469): pid=8062 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=499 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1349637511.548:470): pid=8062 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'

This works fine:

# setenforce 0
# yum reinstall <SAME>
Comment 1 Miroslav Grepl 2012-10-08 04:15:44 EDT
What does

# ls -dZ /var/lib/stap-server

# matchpathcon /var/lib/stap-server
Comment 2 Frank Ch. Eigler 2012-10-08 09:02:13 EDT
This is after the "setenforce 0" reinstallation; it looks OK.  (Before the "setenforce 0", no directory was created at all.)

# ls -dZ /var/lib/stap-server
drwxr-xr-x. stap-server stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server

# matchpathcon /var/lib/stap-server
/var/lib/stap-server	system_u:object_r:stapserver_var_lib_t:s0
Comment 3 Daniel Walsh 2012-10-08 10:49:51 EDT
/var/lib/stap-server should be in the payload of systemtap, and then rpm would have created and labelled this correctly.
Comment 4 Frank Ch. Eigler 2012-10-11 10:26:52 EDT
OK, we can try that.  Can this be fixed from the selinux side too?
Comment 5 Daniel Walsh 2012-10-11 11:56:46 EDT
Yes we have added a fix for this in SELinux policy also.  But all packages should own the directories they use.
Comment 6 Frank Ch. Eigler 2012-10-11 14:05:25 EDT
Dan, just checking if you know off the top of your head, does this create a chicken-egg problem for rpm?  If the /var/lib/stap-server %dir is included in %files, but is owned by a userid that doesn't exist until the rpm %pre script, which failed (perhaps) because of the missing %dir, how does that work?
Comment 7 Daniel Walsh 2012-10-11 22:37:45 EDT
Apache has a similar problem, but they do

%pre
# Add the "apache" user
/usr/sbin/useradd -c "Apache" -u 48 \
	-s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || :

%files

%attr(0710,root,apache) %dir /run/httpd
%attr(0700,root,root) %dir %{_localstatedir}/log/httpd
%attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd
%attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
Comment 8 Frank Ch. Eigler 2013-03-06 12:30:30 EST
Daniel, we have had a report of this problem reappearing with the systemtap-2.1-1.f18 builds, even though they include the %dir as discussed in comment #3.  It appears that selinux is still blocking, despite the directory being included as an rpm payload, and with the correct ownership/permission.
Comment 9 Jon VanAlten 2013-03-06 12:36:25 EST
I'm still seeing basically this in f18 with latest update.

useradd: cannot create directory /var/lib/stap-server
  Installing : systemtap-server-2.1-1.fc18.x86_64                              1/1 
warning: user stap-server does not exist - using root
warning: user stap-server does not exist - using root
runuser: user stap-server does not exist

As per previous comments, setting selinux to Permissive avoids the issue.

Here's some of the other details:

# tail /var/log/audit/audit.log
type=ADD_USER msg=audit(1362590329.176:376): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1362590329.186:377): avc:  denied  { write } for  pid=8744 comm="useradd" name="lib" dev="sda3" ino=2621442 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1362590329.186:377): arch=c000003e syscall=83 success=no exit=-13 a0=7fff2d9d6844 a1=0 a2=7f9451a61758 a3=6165726373662f72 items=0 ppid=8741 pid=8744 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1362590329.186:378): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1362590329.186:379): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1362590329.435:380): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=991 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1362590329.445:381): avc:  denied  { write } for  pid=8745 comm="useradd" name="lib" dev="sda3" ino=2621442 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir
type=SYSCALL msg=audit(1362590329.445:381): arch=c000003e syscall=83 success=no exit=-13 a0=7fff618c2844 a1=0 a2=7f83c98f0758 a3=6165726373662f72 items=0 ppid=8741 pid=8745 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=ADD_USER msg=audit(1362590329.445:382): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=991 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'
type=ADD_USER msg=audit(1362590329.445:383): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed'

# ls -dZ /var/lib/stap-server
drwxr-x---. stap-server stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server

# matchpathcon /var/lib/stap-server
/var/lib/stap-server	system_u:object_r:stapserver_var_lib_t:s0
Comment 10 Frank Ch. Eigler 2013-03-06 16:06:06 EST
Note that the systemtap spec file, until a commit made a moment ago, still used

# useradd -c .. -u .. -g .. -d /var/lib/stap-server -m -r -s ... stap-server

Note the -m.  Perhaps useradd is being run before the %dir directive created the
directory, and thus the %dir stuff from comment #3 was moot, so selinux still needs to help permit this mkdir.

This -m is removed with and upstream stap commit, as another step in the workarounds for this problem.
Comment 11 Daniel Walsh 2013-03-07 11:30:00 EST
Is useradd run in the preinstall?
Comment 12 Daniel Walsh 2013-03-07 11:30:24 EST
BTW I installed this on F19 without a problem
Comment 13 Frank Ch. Eigler 2013-03-08 11:52:31 EST
(In reply to comment #11)
> Is useradd run in the preinstall?

Yes (the %pre section of the -server subrpm).
Comment 14 Daniel Walsh 2013-03-08 14:14:42 EST
Which means the -m could and would cause this problem.  We have this problem fixed in rawhide since we are no longer transitioning from rpm_script_t to useradd, but would have a hard time fixing this in older releases.
Comment 15 Frank Ch. Eigler 2013-09-27 09:37:19 EDT
systemtap v2.2+ include the "no -m" fix commit 7734bd4f.

Note You need to log in before you can comment on or make changes to this bug.