Bug 1797574

+++ This bug was initially created as a clone of Bug #1778612 +++

When upgrading to or reinstalling selinux-policy-3.14.5-18.fc32, RPM prints this warning:

Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1293
Failed to generate binary
semodule:  Failed!

--- Additional comment from Adrian Reber on 2019-12-02 13:38:08 GMT ---

I see the same on a RHEL 8 system installing container-selinux-2.116-1.module+el8.2.0+4456+e1e0d171.noarch.rpm

--- Additional comment from Ed Santiago on 2019-12-12 12:37:37 GMT ---

Seeing the same on fc30, selinux-policy-targeted-3.14.3-52.fc30 -> selinux-policy-targeted-3.14.3-53.fc30.noarch

   Running scriptlet: selinux-policy-targeted-3.14.3-53.fc30.noarch         3/32
   Conflicting name type transition rules
   Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1784
   Failed to generate binary
   /usr/sbin/semodule:  Failed!

/var/log/audit/audit.log:

   type=AVC msg=audit(1576153530.565:733284): avc:  denied  { mac_admin } for  pid=16970 comm="restorecon" capability=33 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0

--- Additional comment from Jindrich Novy on 2019-12-12 16:17:59 GMT ---

We might wanna apply https://github.com/containers/container-selinux/commit/0b25a4a5f05e1810f6bbeffcc40d89c3db5d2a30 to the spec to see whether it fixes the problem. It currently works well in RHEL.

--- Additional comment from Daniel Walsh on 2019-12-12 23:54:55 GMT ---

Yes we want this, but I believe we already have this in Rawhide,  if I am mistaken please make the change.

--- Additional comment from Quentin Armitage on 2019-12-23 12:09:59 GMT ---

I have just done a fresh install of fc31 followed by dnf upgrade and experienced the same problems; it also stopped some other packages upgrading properly. The original version on the system of container-selinux was 2.117.0-1.gitbfde70a and I got the same problems regardless of whether I excluded container-selinux from the dnf upgrade or not. The upgraded version is 2.123.0-2.

I built container-selinux 2.123.0-2 incorporating commits c36566 and cf0837 from https://src.fedoraproject.org/rpms/container-selinux/commits/master, and installing the new rpm before doing the dnf upgrade resolved the problems.

Would it be possible to merge the two commits mentioned above into the f30 and f31 branches.

--- Additional comment from Jindrich Novy on 2019-12-23 13:19:32 GMT ---

Ok, the changes are present in rawhide and applied the same to F31.

--- Additional comment from Fedora Update System on 2019-12-23 13:23:10 GMT ---

FEDORA-2019-e49b4789f6 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-e49b4789f6

-----

I see a similar error in RHEL 8.2 when reinstalling selinux-policy-3.14.3-38.el8:

Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1657
Failed to generate binary
semodule:  Failed!

I have installed:

# rpm -qa |grep selinux
libselinux-2.9-3.el8.x86_64
libselinux-devel-2.9-3.el8.x86_64
libselinux-utils-2.9-3.el8.x86_64
python3-libselinux-2.9-3.el8.x86_64
rpm-plugin-selinux-4.14.2-36.el8.x86_64
selinux-policy-targeted-3.14.3-38.el8.noarch
selinux-policy-3.14.3-38.el8.noarch

Please note that I have expand-check=0 (bug #1669092).