Bug 1728700

Apparently, this is a 8.1 container-selinux version that not going to work well with the 8.0.1 selinux policy.

Actually, I think the bug is still valid as once 8.1 is released, and people would hit this bug on 8.0 systems where it uses container-tools:rhel8 stream instead of 1.0.

Lukas and Petr, what is the command to see the attribute that semodule is complaining about?

You should be able to open and read the file in the report:

# bzless /var/lib/selinux/targeted/tmp/modules/200/container/cil

or if you have a source .pp file, you can use:

# /usr/libexec/selinux/hll/pp container.pp


line 258 seems to be:

(typeattributeset cil_gen_require kmod_t)

Btw this looks suspicious:

# rpm -ivh container-selinux-2.107-1.module+el8.1.0+3402+f73c5901.noarch.rpm 
error: Failed dependencies:
         selinux-policy-base >= 3.13.1-216.el7 is needed by container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch
         selinux-policy-targeted >= 3.13.1-216.el7 is needed by container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch

It looks like el8.1.0 requires something from .el7

(In reply to Petr Lautrbach from comment #8)
> Btw this looks suspicious:
> 
> # rpm -ivh container-selinux-2.107-1.module+el8.1.0+3402+f73c5901.noarch.rpm 
> error: Failed dependencies:
>          selinux-policy-base >= 3.13.1-216.el7 is needed by
> container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch
>          selinux-policy-targeted >= 3.13.1-216.el7 is needed by
> container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch
> 
> It looks like el8.1.0 requires something from .el7

Can't reproduce it on my env

$ sudo rpm -ivh container-selinux-2.107-1.module+el8.1.0+3402+f73c5901.noarch.rpm 
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
Updating / installing...
   1:container-selinux-2:2.107-1.modul################################# [100%]

so Cai Qian pointed out to a spec file issue in container-selinux which explicitly mentions an el7 build. Specifically, https://pkgs.devel.redhat.com/cgit/rpms/container-selinux/tree/container-selinux.spec?h=stream-container-tools-rhel8-rhel-8.1.0#n24 . %global selinux_policyver 3.13.1-216.el7

But in the lines below where it's used, it's always `>= %{selinux_policyver}`. So dnf install should work.

(In reply to Petr Lautrbach from comment #7)
> You should be able to open and read the file in the report:
> 
> # bzless /var/lib/selinux/targeted/tmp/modules/200/container/cil
> 
> or if you have a source .pp file, you can use:
> 
> # /usr/libexec/selinux/hll/pp container.pp
> 
> 
> line 258 seems to be:
> 
> (typeattributeset cil_gen_require kmod_t)

Seems this is the real issue here as semodule failing at this will break the whole transaction.

The el7 in the %global selinux_policyver 3.13.1-216.el7 is a red herring as there is this later in the spec:

Requires: selinux-policy >= %{selinux_policyver}
Requires(post): selinux-policy-base >= %{selinux_policyver}
Requires(post): selinux-policy-targeted >= %{selinux_policyver}

Note it is el8 version of container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch which is pulled via the dep which fails.

Anyone SELinux policy experienced, any idea why %post fails with this?

%{_sbindir}/semodule -n -s %{selinuxtype} -r container 2> /dev/null

Most likely some other package is requiring container.pp to be installed.

(In reply to Daniel Walsh from comment #17)
> Most likely some other package is requiring container.pp to be installed.

Not sure about this as the scriptlet of container-selinux itself fails according to the report:

  Installing       : container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch                                                                                                                           1/1 
  Running scriptlet: container-selinux-2:2.107-1.module+el8.1.0+3402+f73c5901.noarch                                                                                                                           1/1 
Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:258
/usr/sbin/semodule:  Failed!

Or there is a file trigger on container.pp.bz2 in a different package executing this? Is it what are you trying to say Dan?

I think container-selinux requires a newer version of selinux-policy to be installed

Yes, selinux-policy >= 3.14.3-9.el8. That is what I tried to say in comment 12, I am sorry for not being clear.

So container-selinux should require that version or newer to be installed prior to post.

Thanks Ed, Dan.

Only dev_ack is remaining and it's ready to get committed and built.

Related request is already added to container-selinux-2.107-2.module+el8.1.0+4081+b29780af.noarch. So set this to verified.
# rpm -qR container-selinux
/bin/sh
/bin/sh
libselinux-utils
policycoreutils >= 2.5-11
policycoreutils-python-utils
rpmlib(CompressedFileNames) <= 3.0.4-1
rpmlib(FileDigests) <= 4.6.0-1
rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(PayloadIsXz) <= 5.2-1
sed
selinux-policy >= 3.14.3-9.el8
selinux-policy-base >= 3.14.3-9.el8
selinux-policy-targeted >= 3.14.3-9.el8

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3403