Forwarding here since I think this is an SELinux issue w/rpm running
%pre scripts. See the two bugs below.
The "screen" package has this %pre script:
preinstall scriptlet (using /bin/sh):
/usr/sbin/groupadd -g 84 -r -f screen
:
These dontaudit AVCs appear when installing the package via yum and
the group doesn't get created:
# semodule -DB
# yum install screen
...
Running Transaction
Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1
warning: group screen does not exist - using root
warning: group screen does not exist - using root
# grep -i avc audit/audit.log
type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1344982418.445:149): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1344982418.445:150): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1344982418.445:151): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
Everything works correctly if I "setenforce 0" first.
Thanks.
----- Forwarded message from Chuck Anderson <cra@xxxxxxx> -----
Date: Tue, 14 Aug 2012 15:30:33 -0400
From: Chuck Anderson <cra@xxxxxxx>
To: For testing and quality assurance of Fedora releases <test@xxxxxxxxxxxxxxxxxxxxxxx>
Subject: F17 yum/rpm not running groupadd in %pre scripts
Precedence: list
Reply-To: For testing and quality assurance of Fedora releases <test@xxxxxxxxxxxxxxxxxxxxxxx>
I ran into a comedy of errors today after I did a new F17 installation
yesterday. Here are a couple:
https://bugzilla.redhat.com/show_bug.cgi?id=848148
Error in PREIN scriptlet in rpm package wireshark-1.6.9-1.fc17.x86_64
(and why does yum still let the transaction succeed, creating problems
in the RPMDB, broken dependencies?)
https://bugzilla.redhat.com/show_bug.cgi?id=845671
"Directory '/var/run/screen' must have mode 777." when opening screen
(and why does systemd-tmpfiles completely fail to start when there is
a missing group--it should fail gracefully, allowing the other
tmpfiles stuff to run and the service as a whole to run)
Both of these are traceable to missing entries in /etc/group. In the
former cae, there is an explicit "Error in PREIN" script during
instalation. In the latter case, there is only a warning and
installation proceeds:
Running Transaction
Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1
warning: group screen does not exist - using root
warning: group screen does not exist - using root
So what is going on with %pre not running groupadd properly? Are there
any known issues in this area?
Thanks.
--
test mailing list
test@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test
----- End forwarded message -----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
