Bug 1410978

Summary: firewalld update conflicts with selinux-policy
Product: [Fedora] Fedora Reporter: Devin Henderson <devin>
Component: firewalldAssignee: Rashid Khan <rkhan>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 24CC: agalama, allen, kai, marc-schmitzer, nieric, rickhg12hs, stepglenn, twoerner, woiling
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-08 19:32:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Devin Henderson 2017-01-07 03:14:45 UTC 
Description of problem:

On Fedora 24 (but not 25), the latest firewalld package update conflicts with the selinux-policy package.

Running `dnf distro-sync` produces:

https://paste.fedoraproject.org/521096/83758542/raw/

Adding `--allowerasing` solves the deps but does so by removing selinux-policy and selinux-policy-targeted:

https://paste.fedoraproject.org/521097/37586441/raw/

`dnf update` skips firewalld, firewalld-filesystem, and python3-firewall because of the broken dependencies:

https://paste.fedoraproject.org/521098/83758717/raw/

I've verified with another user in the irc chan (kk4ewt) that this is also happening to him on 32bit f24 so its probably happening on most or all f24 installs. However, on f25 it works fine. firewalld obsoletes/replaces firewalld-selinux and there are no dep errors.
Comment 1 Rick 2017-01-08 12:23:11 UTC 
I have the same issue on 64-bit Fedora 24.

# dnf distro-sync
Last metadata expiration check: 0:43:23 ago on Sun Jan  8 12:38:23 2017.
Error: package firewalld-0.4.4.2-2.fc24.noarch conflicts with selinux-policy < 3.13.1-191.23 provided by selinux-policy-3.13.1-191.21.fc24.noarch
(try to add '--allowerasing' to command line to replace conflicting packages)
# dnf upgrade
Last metadata expiration check: 0:43:33 ago on Sun Jan  8 12:38:23 2017.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                           Arch                                Version                                     Repository                            Size
==============================================================================================================================================================================
Skipping packages with broken dependencies:
 firewall-applet                                   noarch                              0.4.4.2-2.fc24                              updates                              119 k
 firewall-config                                   noarch                              0.4.4.2-2.fc24                              updates                              153 k
 firewalld                                         noarch                              0.4.4.2-2.fc24                              updates                              454 k
 firewalld-filesystem                              noarch                              0.4.4.2-2.fc24                              updates                               68 k
 python3-firewall                                  noarch                              0.4.4.2-2.fc24                              updates                              351 k

Transaction Summary
==============================================================================================================================================================================
Skip  5 Packages

Nothing to do.
Complete!
Comment 2 A. Galama 2017-01-09 07:15:09 UTC 
Same problem here. Prevents me from upgrading to Fedora 25.
Comment 3 E.N. 2017-01-09 12:19:55 UTC 
Same issue; it blocks automatic package updates and one has to manually type which ones to update firewall excluded.

# dnf --assumeyes upgrade
Error: package firewalld-0.4.4.2-2.fc24.noarch conflicts with selinux-policy < 3.13.1-191.23 provided by selinux-policy-3.13.1-191.21.fc24.noarch.
[...]
(try to add '--allowerasing' to command line to replace conflicting packages)

# dnf --assumeyes --allowerasing upgrade
Error: package firewalld-0.4.4.2-2.fc24.noarch conflicts with [...]

# cat /etc/os-release 
NAME=Fedora
VERSION="24 (Workstation Edition)"
ID=fedora
VERSION_ID=24
PRETTY_NAME="Fedora 24 (Workstation Edition)"
ANSI_COLOR="0;34"
CPE_NAME="cpe:/o:fedoraproject:fedora:24"
HOME_URL="https://fedoraproject.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=24
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=24
PRIVACY_POLICY_URL=https://fedoraproject.org/wiki/Legal:PrivacyPolicy
VARIANT="Workstation Edition"
VARIANT_ID=workstation
Comment 4 Allen Hewes 2017-01-09 19:13:27 UTC 
Issue is due to still pending selinux-policy updates. Update them from the testing repository with:

sudo dnf --enablerepo=updates-testing update selinux-policy selinux-policy-devel selinux-policy-doc

Then run dnf update.

From the selinux-policy packaging changelog:

* Tue Nov 29 2016 Lukas Vrabec  <lvrabec> 3.13.1-191.22
- Allow firewalld to getattr open search read modules_object_t:dir
Comment 5 E.N. 2017-01-09 21:52:04 UTC 
(In reply to Allen Hewes from comment #4)
> Issue is due to still pending selinux-policy updates. Update them from the
> testing repository with:
> 
> sudo dnf --enablerepo=updates-testing update selinux-policy
> selinux-policy-devel selinux-policy-doc
And any other SELinux package available for updates, for good measure. In my case, there was also selinux-policy-targeted.

> 
> Then run dnf update.
> 
> From the selinux-policy packaging changelog:
> 
> * Tue Nov 29 2016 Lukas Vrabec  <lvrabec> 3.13.1-191.22
> - Allow firewalld to getattr open search read modules_object_t:dir
That did the trick, thanks for the remainder about the updates-testing repository. One can also check which updates are staged there by running
dnf --enablerepo=updates-testing check-update
Comment 6 A. Galama 2017-01-10 07:12:19 UTC 
This is obviously a bug in the release process that needs to be fixed: A package must not be released if it depends on packages pending in the testing repository.
Comment 7 Fedora End Of Life 2017-07-26 00:10:04 UTC 
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 8 Fedora End Of Life 2017-08-08 19:32:58 UTC 
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.