Bug 1728700
Summary: | Unable to install container-selinux 2.107 | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Qian Cai <qcai> |
Component: | container-selinux | Assignee: | Jindrich Novy <jnovy> |
Status: | CLOSED ERRATA | QA Contact: | atomic-bugs <atomic-bugs> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 8.0 | CC: | ddarrah, dornelas, dperpeet, dwalsh, lsm5, lvrabec, plautrba, pthomas, santiago, tpetr, wchadwic, ypu |
Target Milestone: | rc | Keywords: | Regression, Reopened |
Target Release: | 8.1 | ||
Hardware: | ppc64le | ||
OS: | All | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-11-05 21:02:47 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1697826 | ||
Bug Blocks: |
Description
Qian Cai
2019-07-10 13:40:31 UTC
Apparently, this is a 8.1 container-selinux version that not going to work well with the 8.0.1 selinux policy. Actually, I think the bug is still valid as once 8.1 is released, and people would hit this bug on 8.0 systems where it uses container-tools:rhel8 stream instead of 1.0. Lukas and Petr, what is the command to see the attribute that semodule is complaining about? You should be able to open and read the file in the report: # bzless /var/lib/selinux/targeted/tmp/modules/200/container/cil or if you have a source .pp file, you can use: # /usr/libexec/selinux/hll/pp container.pp line 258 seems to be: (typeattributeset cil_gen_require kmod_t) Btw this looks suspicious: # rpm -ivh container-selinux-2.107-1.module+el8.1.0+3402+f73c5901.noarch.rpm error: Failed dependencies: selinux-policy-base >= 3.13.1-216.el7 is needed by container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch selinux-policy-targeted >= 3.13.1-216.el7 is needed by container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch It looks like el8.1.0 requires something from .el7 (In reply to Petr Lautrbach from comment #8) > Btw this looks suspicious: > > # rpm -ivh container-selinux-2.107-1.module+el8.1.0+3402+f73c5901.noarch.rpm > error: Failed dependencies: > selinux-policy-base >= 3.13.1-216.el7 is needed by > container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch > selinux-policy-targeted >= 3.13.1-216.el7 is needed by > container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch > > It looks like el8.1.0 requires something from .el7 Can't reproduce it on my env $ sudo rpm -ivh container-selinux-2.107-1.module+el8.1.0+3402+f73c5901.noarch.rpm Verifying... ################################# [100%] Preparing... ################################# [100%] Updating / installing... 1:container-selinux-2:2.107-1.modul################################# [100%] so Cai Qian pointed out to a spec file issue in container-selinux which explicitly mentions an el7 build. Specifically, https://pkgs.devel.redhat.com/cgit/rpms/container-selinux/tree/container-selinux.spec?h=stream-container-tools-rhel8-rhel-8.1.0#n24 . %global selinux_policyver 3.13.1-216.el7 But in the lines below where it's used, it's always `>= %{selinux_policyver}`. So dnf install should work. (In reply to Petr Lautrbach from comment #7) > You should be able to open and read the file in the report: > > # bzless /var/lib/selinux/targeted/tmp/modules/200/container/cil > > or if you have a source .pp file, you can use: > > # /usr/libexec/selinux/hll/pp container.pp > > > line 258 seems to be: > > (typeattributeset cil_gen_require kmod_t) Seems this is the real issue here as semodule failing at this will break the whole transaction. The el7 in the %global selinux_policyver 3.13.1-216.el7 is a red herring as there is this later in the spec: Requires: selinux-policy >= %{selinux_policyver} Requires(post): selinux-policy-base >= %{selinux_policyver} Requires(post): selinux-policy-targeted >= %{selinux_policyver} Note it is el8 version of container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch which is pulled via the dep which fails. Anyone SELinux policy experienced, any idea why %post fails with this? %{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null Most likely some other package is requiring container.pp to be installed. (In reply to Daniel Walsh from comment #17) > Most likely some other package is requiring container.pp to be installed. Not sure about this as the scriptlet of container-selinux itself fails according to the report: Installing : container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch 1/1 Running scriptlet: container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch 1/1 Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:258 /usr/sbin/semodule: Failed! Or there is a file trigger on container.pp.bz2 in a different package executing this? Is it what are you trying to say Dan? I think container-selinux requires a newer version of selinux-policy to be installed Yes, selinux-policy >= 3.14.3-9.el8. That is what I tried to say in comment 12, I am sorry for not being clear. So container-selinux should require that version or newer to be installed prior to post. Thanks Ed, Dan. Only dev_ack is remaining and it's ready to get committed and built. Related request is already added to container-selinux-2.107-2.module+el8.1.0+4081+b29780af.noarch. So set this to verified. # rpm -qR container-selinux /bin/sh /bin/sh libselinux-utils policycoreutils >= 2.5-11 policycoreutils-python-utils rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 sed selinux-policy >= 3.14.3-9.el8 selinux-policy-base >= 3.14.3-9.el8 selinux-policy-targeted >= 3.14.3-9.el8 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:3403 |