Bug 1600242

Summary: scriptlet failure when upgrading contianer-selinux
Product: [Fedora] Fedora Reporter: Lukas Slebodnik <lslebodn>
Component: libsemanageAssignee: Petr Lautrbach <plautrba>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 29CC: amurdaca, dwalsh, fkluknav, jchaloup, lsm5, lvrabec, mgrepl, plautrba, vmojzis
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: libsemanage-2.8-3.fc29 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-09-25 14:24:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2018-07-11 19:56:13 UTC 
Description of problem:
Upgrade of container-selinux caused failures in scriptlets

Version-Release number of selected component (if applicable):
sh$ rpm -q container-selinux
container-selinux-2.67-2.git042f7cf.fc29.noarch

How reproducible:
Deterministic

Steps to Reproduce:
1. dnf update container-selinux


Actual results:
//upgrade contains
  Running scriptlet: container-selinux-2:2.67-2.git042f7cf.fc29.noarc    54/128 
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9194
  (neverallow base_typeattr_7 unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1580
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1678
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2069
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!

Expected results:
upgrade without any issue

Additional info:
Comment 1 Daniel Walsh 2018-07-12 13:13:03 UTC 
Update your version of libsemanage


dnf update libsemanage
dnf reinstall container-selinux
Comment 2 Lukas Slebodnik 2018-07-13 12:41:50 UTC 
It did not help (And I already had latest libsemanage when I reported this bug)

[root@host ~]# rpm -q libsemanage
libsemanage-2.8-2.fc29.x86_64

[root@host ~]# dnf reinstall container-selinux
Last metadata expiration check: 3:17:57 ago on Fri 13 Jul 2018 11:21:36 AM CEST.
Dependencies resolved.
================================================================================
 Package              Arch      Version                        Repository  Size
================================================================================
Reinstalling:
 container-selinux    noarch    2:2.67-2.git042f7cf.fc29       rawhide     43 k

Transaction Summary
================================================================================

Total download size: 43 k
Installed size: 37 k
Is this ok [y/N]: y
Downloading Packages:
container-selinux-2.67-2.git042f7cf.fc29.noarch 142 kB/s |  43 kB     00:00    
--------------------------------------------------------------------------------
Total                                            32 kB/s |  43 kB     00:01     

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                        1/1 
  Reinstalling     : container-selinux-2:2.67-2.git042f7cf.fc29.noarch      1/2 
  Running scriptlet: container-selinux-2:2.67-2.git042f7cf.fc29.noarch      1/2 
neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9194
  (neverallow base_typeattr_7 unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1580
      (allow spc_t unlabeled_t (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866
      (allow sandbox_x_domain exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1678
      (allow virtd_lxc_t exec_type (file (entrypoint)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2069
      (allow svirt_sandbox_domain exec_type (file (entrypoint)))

Failed to generate binary
/usr/sbin/semodule:  Failed!
  Running scriptlet: container-selinux-2:2.67-2.git042f7cf.fc29.noarch      2/2 
  Verifying        : container-selinux-2:2.67-2.git042f7cf.fc29.noarch      1/2 
  Verifying        : container-selinux-2:2.67-2.git042f7cf.fc29.noarch      2/2 

Reinstalled:
  container-selinux-2:2.67-2.git042f7cf.fc29.noarch                             

Complete!
Comment 3 Daniel Walsh 2018-07-13 12:47:28 UTC 
This is a problem in libsemanage then.

You can fix it simply by editing the /etc/selinux/semanage.conf file and changing the expand-check value to 0.

expand-check=0

This should not be turned on in Rawhide.  It should only be turned on for selinux-policy builds.
Comment 4 Jan Kurik 2018-08-14 09:53:57 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle.
Changing version to '29'.