Bug 1775994
Summary: | Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Begley <fedora> | |
Component: | container-selinux | Assignee: | Lokesh Mandvekar <lsm5> | |
Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
Severity: | high | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 31 | CC: | amurdaca, boeroboy, dwalsh, jchaloup, koen.schram, lsm5, parasail_stanf, prd-fedora, rh.container.bot, tim, zpytela | |
Target Milestone: | --- | |||
Target Release: | --- | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1782225 (view as bug list) | Environment: | ||
Last Closed: | 2020-09-10 13:07:56 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
James Begley
2019-11-24 11:43:11 UTC
A PR has been sent to merge: https://github.com/containers/container-selinux/pull/84 Thanks for the prompt response. However, attempting to install the fc32 package that has been created following that merge on this fc31 system results in the following errors: Upgrading : container-selinux-2:2.123.0-0.1.dev.git661a904.fc32 1/2 Running scriptlet: container-selinux-2:2.123.0-0.1.dev.git661a904.fc32 1/2 libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory). container: libsepol.policydb_read: policydb module version 20 does not match my version range 4-19 container: libsepol.sepol_module_package_read: invalid module in module package (at section 0) container: Failed to read policy package libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). /usr/sbin/semodule: Failed! Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary semodule: Failed! Running scriptlet: container-selinux-2:2.119.1-2.fc31.noarch 2/2 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary semodule: Failed! Cleanup : container-selinux-2:2.119.1-2.fc31.noarch 2/2 Running scriptlet: container-selinux-2:2.119.1-2.fc31.noarch 2/2 Verifying : container-selinux-2:2.123.0-0.1.dev.git661a904.fc32 1/2 Verifying : container-selinux-2:2.119.1-2.fc31.noarch 2/2 Upgraded: container-selinux-2:2.123.0-0.1.dev.git661a904.fc32.noarch selinux is still preventing podman from starting any containers. James, On a F31 system please use the package built for F31 instead: https://bodhi.fedoraproject.org/updates/FEDORA-2019-edc1551b22 The build from that bodhi update (container-selinux-2:2.123.0-1.fc31.noarch) installs cleanly and appears to resolve the issues with starting podman. Thanks :) Please update the karma. Fixed in container-selinux-2:2.123.0-1.fc31 Closing, please reopen if issue isn't fixed. Strangely enough this has just appeared in one of my F35 boxes. Another one works fine. I think it may be caused from me previously installing a docker-ce.el8 package earlier. Is there a manual workaround to restore labels? Wow completely removing and reinstalling all of it shows other label issues. All of this even with selinux temporarily set to permissive. I'll dig some more and file a new issue if it's unrelated. Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: container-selinux-2:2.170.0-2.fc35.noarch 1/16 Installing : container-selinux-2:2.170.0-2.fc35.noarch 1/16 Running scriptlet: container-selinux-2:2.170.0-2.fc35.noarch 1/16 libsepol.context_from_record: type nx_server_var_run_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:nx_server_var_run_t:s0 to sid invalid context system_u:object_r:nx_server_var_run_t:s0 Failed to commit changes to booleans: Success Problems processing filecon rules Failed post db handling Post process failed /usr/sbin/semodule: Failed! /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:container_var_lib_t:s0 Problems processing filecon rules Failed post db handling Post process failed semodule: Failed! Please open a new bugzilla, donot add to old bugzilla. You might need to update selinux-policy as well. This issue usually occurs after upgrading systems. Solution: https://help.eset.com/efs/8.1/en-US/upgrade-fails-selinux.html 1. Remove all trouble-making modules sudo semodule --priority=200 -r container 2. Reinstall SELinux packages and rebuild the policy sudo dnf reinstall selinux-policy container-selinux |