Problems creating a directory in /usr

Clive Hills discordianuk at gmail.com
Fri Feb 8 10:55:57 UTC 2013 

I have a user application (the Reality/Pick database from Northgate
Reality) that requires the creation of a user before install.
That user *must* have as their home directory : /usr/realman. Prior to F16
i used to do "useradd -r -d /usr/realman -m realman".

On the most recent versions of Fedora this fails with :  "useradd: cannot
create directory /usr/realman".

I get an AVN which is : "
Clivetime->Fri Feb  8 10:30:02 2013
type=SYSCALL msg=audit(1360319402.989:97): arch=c000003e syscall=83
success=no exit=-13 #============= useradd_t ==============
#!!!! The source type 'useradd_t' can write to a 'dir' of the following
types:
# selinux_config_t, stapserver_var_lib_t, user_home_dir_t,
default_context_t, httpd_user_content_type, mail_spool_t, etc_t,
semanage_tmp_t, config_home_t, var_t, semanage_store_t,
selinux_login_config_t, httpd_user_script_exec_type, selinux_config_t,
pcscd_var_run_t, tmp_t, user_home_type, semanage_store_t, file_context_t,
home_root_t

allow useradd_t usr_t:dir write;
 7fff498c2639 a1=0 a2=7f26197f6750 a3=6165726373662f72 items=0 ppid=1855
pid=2277 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
ses=1 tty=pts0 comm="useradd" exe="/usr/sbin/useradd"
subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1360319402.989:97): avc:  denied  { write } for
 pid=2277 comm="useradd" name="usr" dev="sda11" ino=917505
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir".

Audit2why says : "type=AVC msg=audit(1360319402.989:97): avc:  denied  {
write } for  pid=2277 comm="useradd" name="usr" dev="sda11" ino=917505
scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:usr_t:s0 tclass=dir

Was caused by:
Missing type enforcement (TE) allow rule.

You can use audit2allow to generate a loadable module to allow this access.
"
and audit2allow says : "

which I find confusing as it makes no reference to the /usr/realman or for
that matter /usr directories.

Please advise what I need to do to have it writeable by this application
(which is closed source to which I have no access.

Many thanks
Clive
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130208/2fd6b45c/attachment.html>

More information about the selinux mailing list