When trying to change a group, a failure occurs when SELinux is enabled: """ ~# groupadd jboss groupadd: failure while writing changes to /etc/group """ In the denial logs, we notice the following: """ Apr 22 14:05:35 testsys kernel: [ 3839.470998] type=1400 audit(1335096335.139:168): avc: denied { search } for pid=3521 comm="groupadd" name="contexts" dev="vda1" ino=1091 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:default_context_t tclass=dir """ The groupadd application is selinux-aware (linked with libselinux) and needs proper access to the context definitions. Reproducible: Always
With seutil_read_default_contexts, the following denial occurs: """ Apr 22 14:17:11 testsys kernel: [ 4535.791950] type=1400 audit(1335097031.460:178): avc: denied { search } for pid=10737 comm="groupadd" name="files" dev="vda1" ino=1122 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:file_context_t tclass=dir """ Adding seutil_read_file_contexts() as well makes things work again.
seutil_read_default_contexts can be eliminated, seutil_read_file_contexts contains the proper rights
Will be in -r9
r9 now in hardened-dev overlay
r9 is now ~arch in main tree
Stabilized