+++ This bug was initially created as a clone of Bug #853456 +++ +++ This bug was initially created as a clone of Bug #798036 +++ [...] When trying to install systemtap-server-1.7-2.fc16.x86_64 on Fedora 16, selinux prevents the rpm from creating /var/lib/stap-server/ as the home directory when running useradd. Version-Release number of selected component (if applicable): # rpm -qa kernel selinux-policy-targeted kernel-3.6.0-3.fc18.x86_64 selinux-policy-targeted-3.11.1-32.fc18.noarch # yum reinstall systemtap-devel systemtap-server Running Transaction Installing : systemtap-devel-2.0-0.4.gitec12f84.fc18.x86_64 1/2 useradd: cannot create directory /var/lib/stap-server Installing : systemtap-server-2.0-0.4.gitec12f84.fc18.x86_64 2/2 warning: user stap-server does not exist - using root runuser: user stap-server does not exist Verifying : systemtap-server-2.0-0.4.gitec12f84.fc18.x86_64 1/2 # tail /var/log/audit/audit.log type=ADD_USER msg=audit(1349637511.438:463): pid=8061 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1349637511.456:464): avc: denied { write } for pid=8061 comm="useradd" name="lib" dev="sda3" ino=1048579 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1349637511.456:464): arch=c000003e syscall=83 success=no exit=-13 a0=7fff63e2a8f2 a1=0 a2=2b72cae6e758 a3=6165726373662f72 items=0 ppid=8058 pid=8061 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) type=ADD_USER msg=audit(1349637511.457:465): pid=8061 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' type=ADD_USER msg=audit(1349637511.457:466): pid=8061 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' type=ADD_USER msg=audit(1349637511.523:467): pid=8062 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=499 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1349637511.547:468): avc: denied { write } for pid=8062 comm="useradd" name="lib" dev="sda3" ino=1048579 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1349637511.547:468): arch=c000003e syscall=83 success=no exit=-13 a0=7fff35f938f2 a1=0 a2=2aba3dee3758 a3=6165726373662f72 items=0 ppid=8058 pid=8062 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) type=ADD_USER msg=audit(1349637511.547:469): pid=8062 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=499 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' type=ADD_USER msg=audit(1349637511.548:470): pid=8062 uid=0 auid=500 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' This works fine: # setenforce 0 # yum reinstall <SAME>
What does # ls -dZ /var/lib/stap-server # matchpathcon /var/lib/stap-server
This is after the "setenforce 0" reinstallation; it looks OK. (Before the "setenforce 0", no directory was created at all.) # ls -dZ /var/lib/stap-server drwxr-xr-x. stap-server stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server # matchpathcon /var/lib/stap-server /var/lib/stap-server system_u:object_r:stapserver_var_lib_t:s0
/var/lib/stap-server should be in the payload of systemtap, and then rpm would have created and labelled this correctly.
OK, we can try that. Can this be fixed from the selinux side too?
Yes we have added a fix for this in SELinux policy also. But all packages should own the directories they use.
Dan, just checking if you know off the top of your head, does this create a chicken-egg problem for rpm? If the /var/lib/stap-server %dir is included in %files, but is owned by a userid that doesn't exist until the rpm %pre script, which failed (perhaps) because of the missing %dir, how does that work?
Apache has a similar problem, but they do %pre # Add the "apache" user /usr/sbin/useradd -c "Apache" -u 48 \ -s /sbin/nologin -r -d %{contentdir} apache 2> /dev/null || : %files %attr(0710,root,apache) %dir /run/httpd %attr(0700,root,root) %dir %{_localstatedir}/log/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy
Daniel, we have had a report of this problem reappearing with the systemtap-2.1-1.f18 builds, even though they include the %dir as discussed in comment #3. It appears that selinux is still blocking, despite the directory being included as an rpm payload, and with the correct ownership/permission.
I'm still seeing basically this in f18 with latest update. useradd: cannot create directory /var/lib/stap-server Installing : systemtap-server-2.1-1.fc18.x86_64 1/1 warning: user stap-server does not exist - using root warning: user stap-server does not exist - using root runuser: user stap-server does not exist As per previous comments, setting selinux to Permissive avoids the issue. Here's some of the other details: # tail /var/log/audit/audit.log type=ADD_USER msg=audit(1362590329.176:376): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1362590329.186:377): avc: denied { write } for pid=8744 comm="useradd" name="lib" dev="sda3" ino=2621442 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1362590329.186:377): arch=c000003e syscall=83 success=no exit=-13 a0=7fff2d9d6844 a1=0 a2=7f9451a61758 a3=6165726373662f72 items=0 ppid=8741 pid=8744 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) type=ADD_USER msg=audit(1362590329.186:378): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=155 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' type=ADD_USER msg=audit(1362590329.186:379): pid=8744 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' type=ADD_USER msg=audit(1362590329.435:380): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user id=991 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1362590329.445:381): avc: denied { write } for pid=8745 comm="useradd" name="lib" dev="sda3" ino=2621442 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1362590329.445:381): arch=c000003e syscall=83 success=no exit=-13 a0=7fff618c2844 a1=0 a2=7f83c98f0758 a3=6165726373662f72 items=0 ppid=8741 pid=8745 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1 tty=pts5 comm="useradd" exe="/usr/sbin/useradd" subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) type=ADD_USER msg=audit(1362590329.445:382): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding home directory id=991 exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' type=ADD_USER msg=audit(1362590329.445:383): pid=8745 uid=0 auid=1000 ses=1 subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 msg='op=adding user acct="stap-server" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=failed' # ls -dZ /var/lib/stap-server drwxr-x---. stap-server stap-server system_u:object_r:stapserver_var_lib_t:s0 /var/lib/stap-server # matchpathcon /var/lib/stap-server /var/lib/stap-server system_u:object_r:stapserver_var_lib_t:s0
Note that the systemtap spec file, until a commit made a moment ago, still used # useradd -c .. -u .. -g .. -d /var/lib/stap-server -m -r -s ... stap-server Note the -m. Perhaps useradd is being run before the %dir directive created the directory, and thus the %dir stuff from comment #3 was moot, so selinux still needs to help permit this mkdir. This -m is removed with and upstream stap commit, as another step in the workarounds for this problem.
Is useradd run in the preinstall?
BTW I installed this on F19 without a problem
(In reply to comment #11) > Is useradd run in the preinstall? Yes (the %pre section of the -server subrpm).
Which means the -m could and would cause this problem. We have this problem fixed in rawhide since we are no longer transitioning from rpm_script_t to useradd, but would have a hard time fixing this in older releases.
systemtap v2.2+ include the "no -m" fix commit 7734bd4f.