Description of problem: SELinux is preventing /usr/sbin/useradd from 'write' accesses on the directory /var/lib. ***** Plugin catchall_labels (83.8 confidence) suggests ******************** If you want to allow useradd to have write access on the lib directory Then you need to change the label on /var/lib Do # semanage fcontext -a -t FILE_TYPE '/var/lib' where FILE_TYPE is one of the following: alsa_home_t, audio_home_t, auth_home_t, cache_home_t, config_home_t, data_home_t, dbus_home_t, default_context_t, etc_t, fetchmail_home_t, file_context_t, gconf_home_t, git_user_content_t, gkeyringd_gnome_home_t, gnome_home_t, gpg_secret_t, gstreamer_home_t, home_bin_t, home_cert_t, home_root_t, httpd_user_content_t, httpd_user_htaccess_t, httpd_user_ra_content_t, httpd_user_rw_content_t, httpd_user_script_exec_t, icc_data_home_t, iceauth_home_t, irc_home_t, irc_tmp_t, irssi_home_t, kismet_home_t, krb5_home_t, local_login_home_t, mail_home_rw_t, mail_home_t, mail_spool_t, mozilla_home_t, mpd_user_data_t, mplayer_home_t, mysqld_home_t, pcscd_var_run_t, polipo_cache_home_t, polipo_config_home_t, procmail_home_t, pulseaudio_home_t, rlogind_home_t, rssh_ro_t, rssh_rw_t, screen_home_t, selinux_config_t, selinux_login_config_t, semanage_store_t, semanage_tmp_t, spamc_home_t, ssh_home_t, stapserver_var_lib_t, svirt_home_t, telepathy_cache_home_t, telepathy_data_home_t, telepathy_gabble_cache_home_t, telepathy_logger_cache_home_t, telepathy_logger_data_home_t, telepathy_mission_control_cache_home_t, telepathy_mission_control_data_home_t, telepathy_mission_control_home_t, telepathy_sunshine_home_t, thumb_home_t, tmp_t, tvtime_home_t, uml_ro_t, uml_rw_t, user_fonts_cache_t, user_fonts_config_t, user_fonts_t, user_home_dir_t, user_home_t, user_tmp_t, user_tmpfs_t, useradd_var_run_t, var_run_t, var_t, virt_content_t, virt_home_t, vmware_conf_t, vmware_file_t, wine_home_t, wireshark_home_t, xauth_home_t, xdm_home_t. Then execute: restorecon -v '/var/lib' ***** Plugin catchall (17.1 confidence) suggests *************************** If you believe that useradd should be allowed write access on the lib directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep useradd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 Target Context system_u:object_r:var_lib_t:s0 Target Objects /var/lib [ dir ] Source useradd Source Path /usr/sbin/useradd Port <Unknown> Host (removed) Source RPM Packages shadow-utils-4.1.5.1-2.fc18.i686 Target RPM Packages filesystem-3.1-2.fc18.i686 Policy RPM selinux-policy-3.11.1-91.fc18.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux (removed) 3.8.8-202.fc18.i686.PAE #1 SMP Wed Apr 17 23:36:49 UTC 2013 i686 i686 Alert Count 2 First Seen 2013-04-25 21:35:01 CEST Last Seen 2013-04-25 21:35:02 CEST Local ID 3d5891d8-53d3-4453-9b6d-c203e7854b36 Raw Audit Messages type=AVC msg=audit(1366918502.61:631): avc: denied { write } for pid=14766 comm="useradd" name="lib" dev="sda5" ino=524290 scontext=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir type=SYSCALL msg=audit(1366918502.61:631): arch=i386 syscall=mkdir success=no exit=EACCES a0=bfbf6ec8 a1=0 a2=b7749d1c a3=bfbf6ec8 items=0 ppid=14758 pid=14766 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=2 tty=pts1 comm=useradd exe=/usr/sbin/useradd subj=unconfined_u:system_r:useradd_t:s0-s0:c0.c1023 key=(null) Hash: useradd,useradd_t,var_lib_t,dir,write audit2allow #============= useradd_t ============== allow useradd_t var_lib_t:dir write; audit2allow -R require { type useradd_t; } #============= useradd_t ============== files_rw_var_lib_dirs(useradd_t) Additional info: hashmarkername: setroubleshoot kernel: 3.8.8-202.fc18.i686.PAE type: libreport Potential duplicate: bug 754883
Which package were you installing when this happened?
We allow this in F19.
commit edc0e9b9a51b405a030dd294209941bb8d1e8e01 Author: Miroslav Grepl <mgrepl> Date: Mon May 13 10:28:15 2013 +0200 Allow useradd_t to r/w var_lib_t
selinux-policy-3.11.1-95.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/selinux-policy-3.11.1-95.fc18
Package selinux-policy-3.11.1-95.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.11.1-95.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-8591/selinux-policy-3.11.1-95.fc18 then log in and leave karma (feedback).
selinux-policy-3.11.1-95.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.