Linux Archive - F17 yum/rpm not running groupadd in %pre scripts

Forwarding here since I think this is an SELinux issue w/rpm running
%pre scripts. See the two bugs below.

The "screen" package has this %pre script:

preinstall scriptlet (using /bin/sh):
/usr/sbin/groupadd -g 84 -r -f screen
:

These dontaudit AVCs appear when installing the package via yum and
the group doesn't get created:

# semodule -DB

# yum install screen
...
Running Transaction
Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1
warning: group screen does not exist - using root
warning: group screen does not exist - using root

# grep -i avc audit/audit.log

type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
type=AVC msg=audit(1344982418.445:149): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1344982418.445:150): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1344982418.445:151): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir

Everything works correctly if I "setenforce 0" first.

Thanks.

----- Forwarded message from Chuck Anderson <cra@WPI.EDU> -----

Date: Tue, 14 Aug 2012 15:30:33 -0400
From: Chuck Anderson <cra@WPI.EDU>
To: For testing and quality assurance of Fedora releases <test@lists.fedoraproject.org>
Subject: F17 yum/rpm not running groupadd in %pre scripts
Precedence: list
Reply-To: For testing and quality assurance of Fedora releases <test@lists.fedoraproject.org>

I ran into a comedy of errors today after I did a new F17 installation
yesterday. Here are a couple:

https://bugzilla.redhat.com/show_bug.cgi?id=848148
Error in PREIN scriptlet in rpm package wireshark-1.6.9-1.fc17.x86_64

(and why does yum still let the transaction succeed, creating problems
in the RPMDB, broken dependencies?)

https://bugzilla.redhat.com/show_bug.cgi?id=845671
"Directory '/var/run/screen' must have mode 777." when opening screen

(and why does systemd-tmpfiles completely fail to start when there is
a missing group--it should fail gracefully, allowing the other
tmpfiles stuff to run and the service as a whole to run)

Both of these are traceable to missing entries in /etc/group. In the
former cae, there is an explicit "Error in PREIN" script during
instalation. In the latter case, there is only a warning and
installation proceeds:

Running Transaction
Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1
warning: group screen does not exist - using root
warning: group screen does not exist - using root

So what is going on with %pre not running groupadd properly? Are there
any known issues in this area?

Thanks.
--
test mailing list
test@lists.fedoraproject.org
To unsubscribe:
https://admin.fedoraproject.org/mailman/listinfo/test

----- End forwarded message -----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux