Forwarding here since I think this is an SELinux issue w/rpm running %pre scripts. See the two bugs below.

The "screen" package has this %pre script:

preinstall scriptlet (using /bin/sh): /usr/sbin/groupadd -g 84 -r -f screen :

These dontaudit AVCs appear when installing the package via yum and the group doesn't get created:

# semodule -DB

# yum install screen ... Running Transaction Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1 warning: group screen does not exist - using root warning: group screen does not exist - using root

# grep -i avc audit/audit.log

type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=AVC msg=audit(1344982418.400:148): avc: denied { read } for pid=5725 comm="groupadd" path="/tmp/tmpdH4tic" dev="dm-5" ino=942811 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file type=AVC msg=audit(1344982418.445:149): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=AVC msg=audit(1344982418.445:150): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir type=AVC msg=audit(1344982418.445:151): avc: denied { search } for pid=5725 comm="groupadd" name="contexts" dev="dm-5" ino=672610 scontext=unconfined_u:system_r:groupadd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir

Everything works correctly if I "setenforce 0" first.

Thanks.

----- Forwarded message from Chuck Anderson cra@WPI.EDU -----

Date: Tue, 14 Aug 2012 15:30:33 -0400 From: Chuck Anderson cra@WPI.EDU To: For testing and quality assurance of Fedora releases test@lists.fedoraproject.org Subject: F17 yum/rpm not running groupadd in %pre scripts Precedence: list Reply-To: For testing and quality assurance of Fedora releases test@lists.fedoraproject.org

I ran into a comedy of errors today after I did a new F17 installation yesterday. Here are a couple:

https://bugzilla.redhat.com/show_bug.cgi?id=848148 Error in PREIN scriptlet in rpm package wireshark-1.6.9-1.fc17.x86_64

(and why does yum still let the transaction succeed, creating problems in the RPMDB, broken dependencies?)

https://bugzilla.redhat.com/show_bug.cgi?id=845671 "Directory '/var/run/screen' must have mode 777." when opening screen

(and why does systemd-tmpfiles completely fail to start when there is a missing group--it should fail gracefully, allowing the other tmpfiles stuff to run and the service as a whole to run)

Both of these are traceable to missing entries in /etc/group. In the former cae, there is an explicit "Error in PREIN" script during instalation. In the latter case, there is only a warning and installation proceeds:

Running Transaction Installing : screen-4.1.0-0.9.20120314git3c2946.fc17.x86_64 1/1 warning: group screen does not exist - using root warning: group screen does not exist - using root

So what is going on with %pre not running groupadd properly? Are there any known issues in this area?

Thanks.