SELinux issue in preinstall script #103
Description
Hi there
With the introduction of "Set home dir in spec" #94 we are experiencing an issue on selinux enforcing machines:
Running scriptlet: theia-1.34.1-1.x86_64 10/10
useradd: cannot create directory /usr/lib/theia
error: %prein(theia-1.34.1-1.x86_64) scriptlet failed, exit status 12
Error in PREIN scriptlet in rpm package theia
error: theia-1.34.1-1.x86_64: install failed
Apparently, the useradd command is not allowed to create directories in /usr/lib/:
[root@localhost ~]# audit2allow -w -a
type=AVC msg=audit(1678694795.019:138): avc: denied { write } for pid=27979 comm="useradd" name="lib" dev="dm-0" ino=135 scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
As a workaround, it's possible to create the directory before installing the package or defining a custom selinux policy. However, I think it would be a good idea to add a mkdir in the preinstall script before executing the useradd command or allow the user to overwrite the home directory.