SELinux issue in preinstall script

Question

SELinux issue in preinstall script

Opened this issue 2 years ago · 0 comments

Hi there

With the introduction of "Set home dir in spec" #94 we are experiencing an issue on selinux enforcing machines:

  Running scriptlet: theia-1.34.1-1.x86_64                                                                                                              10/10 
useradd: cannot create directory /usr/lib/theia
error: %prein(theia-1.34.1-1.x86_64) scriptlet failed, exit status 12

Error in PREIN scriptlet in rpm package theia
error: theia-1.34.1-1.x86_64: install failed

Apparently, the useradd command is not allowed to create directories in /usr/lib/:

[root@localhost ~]# audit2allow -w -a
type=AVC msg=audit(1678694795.019:138): avc:  denied  { write } for  pid=27979 comm="useradd" name="lib" dev="dm-0" ino=135 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
	Was caused by:
		Missing type enforcement (TE) allow rule.

		You can use audit2allow to generate a loadable module to allow this access.

As a workaround, it's possible to create the directory before installing the package or defining a custom selinux policy. However, I think it would be a good idea to add a mkdir in the preinstall script before executing the useradd command or allow the user to overwrite the home directory.