[DSE-Dev] Bug#756468: selinux-policy-default: Installation of utempter fails because of deny of groupadd when SELinux is set to enforcing

[Andreas Florath]

Package: selinux-policy-default
Version: 2:2.20110726-12
Severity: normal

Dear Maintainer,

the installation of selinux-policy-src when SELinux is set to enforcing
fails:

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             default
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     denied
Max kernel policy version:      26

# se_apt-get install selinux-policy-src
[...]
Setting up libutempter0 (1.1.5-4) ...
Creating utempter group...
addgroup: `/usr/sbin/groupadd -g 104 utempter' returned error code 10. Exiting.
dpkg: error processing libutempter0 (--configure):
 subprocess installed post-installation script returned error exit status 1

(looks that selinux-policy-src is dependent on libutempter0.)

Here is the audit.log of this event:
type=SYSCALL msg=audit(1406697782.110:13): arch=c000003e syscall=59 success=yes exit=0 a0=132a3d0 a1=132a450 a2=1601060 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 key=(null)
type=AVC msg=audit(1406697782.122:14): avc:  denied  { search } for  pid=7957 comm="groupadd" name="contexts" dev=dm-0 ino=522851 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406697782.122:14): arch=c000003e syscall=2 success=no exit=-13 a0=cfc340 a1=0 a2=1b6 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 key=(null)
type=AVC msg=audit(1406697782.122:15): avc:  denied  { search } for  pid=7957 comm="groupadd" name="contexts" dev=dm-0 ino=522851 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406697782.122:15): arch=c000003e syscall=2 success=no exit=-13 a0=cfc2d0 a1=0 a2=1b6 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 key=(null)
type=AVC msg=audit(1406697782.122:16): avc:  denied  { search } for  pid=7957 comm="groupadd" name="contexts" dev=dm-0 ino=522851 scontext=system_u:system_r:groupadd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=SYSCALL msg=audit(1406697782.122:16): arch=c000003e syscall=2 success=no exit=-13 a0=cfbc40 a1=0 a2=1b6 a3=0 items=0 ppid=7956 pid=7957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="groupadd" exe="/usr/sbin/groupadd" subj=system_u:system_r:groupadd_t:s0 key=(null)

The system is a fresh and minimalistic installation of Debian 7.6.

Kind regards

Andre

-- System Information:
Debian Release: 7.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages selinux-policy-default depends on:
ii  libpam-modules   1.1.3-7.1
ii  libselinux1      2.1.9-5
ii  libsepol1        2.1.4-3
ii  policycoreutils  2.1.10-9
ii  python           2.7.3-4+deb7u1

Versions of packages selinux-policy-default recommends:
ii  checkpolicy  2.1.8-2
ii  setools      3.3.7-3

Versions of packages selinux-policy-default suggests:
pn  logcheck        <none>
pn  syslog-summary  <none>

-- no debconf information