Bug 1895583

Summary: Erratum RHBA-2020:4969 is of no help when upgrading partially RHEL 8.2 systems
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED CURRENTRELEASE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 8.3CC: cww, dapospis, lvrabec, qguo, rmullett, rsroka, tscherf
Target Milestone: rcKeywords: Regression, Triaged, ZStream
Target Release: 8.0   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1906472 1906473 1906474 (view as bug list) Environment:
Last Closed: 2021-01-05 14:55:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1906472, 1906473, 1906474    

Description Renaud Métrich 2020-11-07 09:51:12 UTC 
Description of problem:

This BZ is to make everybody aware that applying fapolicyd erratum RHBA-2020:4969 (https://access.redhat.com/errata/RHBA-2020:4969) won't help upgrading RHEL 8.2 systems partially, e.g. when applying security patches only:

-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# rpm -q fapolicyd
fapolicyd-0.9.1-4.el8.x86_64

# yum -y update --security
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

The command will upgrade systemd and cryptsetup-libs to 8.3 level and provoke the system crash leading to system corruption and "systemd: Freezing execution" state after reboot.

We need to make sure that fapolicyd gets automatically updated to fapolicyd-1.0-3.el8_3.2 when applying security fixes.


Version-Release number of selected component (if applicable):

fapolicyd-0.9.1-4.el8.x86_64


How reproducible:

ALWAYS


Steps to Reproduce:
1. Verify fapolicyd-0.9.1-4.el8.x86_64 is installed and fapolicyd is active

2. Partially update the system

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # yum -y update systemd cryptsetup-libs
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

  or issue

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # yum -y update --security
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


Actual results:

  CRASH, then freeze upon reboot

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  [  !!  ] Failed to execute /sbin/init
  [!!!!!!] Failed to execute fallback shell, freezing.
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------  

Expected results:

  fapolicyd updated as well to avoid the crash
Comment 1 Renaud Métrich 2020-11-07 09:56:20 UTC 
KCS https://access.redhat.com/solutions/5542661 has a "safe upgrade" procedure.
Comment 2 Renaud Métrich 2020-11-09 07:49:17 UTC 
Additionally, the erratum doesn't install properly on 8.1 systems when upgrading from 8.1 to 8.3 is issued.

The fapolicyd service fails, which hopefully enables upgrading "safely":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Job for fapolicyd.service failed because the control process exited with error code.
See "systemctl status fapolicyd.service" and "journalctl -xe" for details.
error: %pretrans(fapolicyd-1.0-3.el8_3.2.x86_64) scriptlet failed, exit status 1

[...]

  Running scriptlet: fapolicyd-selinux-1.0-3.el8_3.2.noarch                                                   231/556 
error: fapolicyd-1.0-3.el8_3.2.x86_64: install skipped

error: fapolicyd-0.8.10-3.el8_1.3.x86_64: erase skipped

[...]

Failed:
  fapolicyd-1.0-3.el8_3.2.x86_64                           fapolicyd-0.8.10-3.el8_1.3.x86_64                          

Error: Transaction failed
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------


This happens because the rule is not compatible with older 8.1:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
fapolicyd[8340]: Field type (perm) is unknown in line 1
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

To recover, the admin must update the package again (it remains at 8.1 level):
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# yum -y update fapolicyd
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Finally he must reset the "failed state":
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
# systemctl reset-failed fapolicyd
# systemctl restart fapolicyd
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------