Bug 1797574

Summary: selinux-policy-targeted-3.14.3-38.el8: installation script warns: Conflicting name type transition rules: Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1657
Product: Red Hat Enterprise Linux 8 Reporter: Petr Pisar <ppisar>
Component: container-selinuxAssignee: Jindrich Novy <jnovy>
Status: CLOSED WORKSFORME QA Contact: atomic-bugs <atomic-bugs>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.2CC: dwalsh, jnovy
Target Milestone: rc   
Target Release: 8.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1778612 Environment:
Last Closed: 2020-02-03 13:34:56 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Petr Pisar 2020-02-03 12:35:50 UTC
+++ This bug was initially created as a clone of Bug #1778612 +++

When upgrading to or reinstalling selinux-policy-3.14.5-18.fc32, RPM prints this warning:

Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1293
Failed to generate binary
semodule:  Failed!

--- Additional comment from Adrian Reber on 2019-12-02 13:38:08 GMT ---

I see the same on a RHEL 8 system installing container-selinux-2.116-1.module+el8.2.0+4456+e1e0d171.noarch.rpm

--- Additional comment from Ed Santiago on 2019-12-12 12:37:37 GMT ---

Seeing the same on fc30, selinux-policy-targeted-3.14.3-52.fc30 -> selinux-policy-targeted-3.14.3-53.fc30.noarch

   Running scriptlet: selinux-policy-targeted-3.14.3-53.fc30.noarch         3/32
   Conflicting name type transition rules
   Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1784
   Failed to generate binary
   /usr/sbin/semodule:  Failed!

/var/log/audit/audit.log:

   type=AVC msg=audit(1576153530.565:733284): avc:  denied  { mac_admin } for  pid=16970 comm="restorecon" capability=33 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0

--- Additional comment from Jindrich Novy on 2019-12-12 16:17:59 GMT ---

We might wanna apply https://github.com/containers/container-selinux/commit/0b25a4a5f05e1810f6bbeffcc40d89c3db5d2a30 to the spec to see whether it fixes the problem. It currently works well in RHEL.

--- Additional comment from Daniel Walsh on 2019-12-12 23:54:55 GMT ---

Yes we want this, but I believe we already have this in Rawhide,  if I am mistaken please make the change.

--- Additional comment from Quentin Armitage on 2019-12-23 12:09:59 GMT ---

I have just done a fresh install of fc31 followed by dnf upgrade and experienced the same problems; it also stopped some other packages upgrading properly. The original version on the system of container-selinux was 2.117.0-1.gitbfde70a and I got the same problems regardless of whether I excluded container-selinux from the dnf upgrade or not. The upgraded version is 2.123.0-2.

I built container-selinux 2.123.0-2 incorporating commits c36566 and cf0837 from https://src.fedoraproject.org/rpms/container-selinux/commits/master, and installing the new rpm before doing the dnf upgrade resolved the problems.

Would it be possible to merge the two commits mentioned above into the f30 and f31 branches.

--- Additional comment from Jindrich Novy on 2019-12-23 13:19:32 GMT ---

Ok, the changes are present in rawhide and applied the same to F31.

--- Additional comment from Fedora Update System on 2019-12-23 13:23:10 GMT ---

FEDORA-2019-e49b4789f6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e49b4789f6

-----

I see a similar error in RHEL 8.2 when reinstalling selinux-policy-3.14.3-38.el8:

Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1657
Failed to generate binary
semodule:  Failed!

I have installed:

# rpm -qa |grep selinux
libselinux-2.9-3.el8.x86_64
libselinux-devel-2.9-3.el8.x86_64
libselinux-utils-2.9-3.el8.x86_64
python3-libselinux-2.9-3.el8.x86_64
rpm-plugin-selinux-4.14.2-36.el8.x86_64
selinux-policy-targeted-3.14.3-38.el8.noarch
selinux-policy-3.14.3-38.el8.noarch

Please note that I have expand-check=0 (bug #1669092).

Comment 4 Daniel Walsh 2020-02-03 14:26:19 UTC
container-selinux should NOT be a hard dependency for podman, this forces the pulling of selinux-policy into containers that import Podman.  It should only be a recommends.