Bug 2042520
| Summary: | Podman run stopped working after selinux-policy package upgrade | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Mateusz Mojsiejuk <tomodachi> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED DUPLICATE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | high | ||
| Version: | 35 | CC: | alessandro.bruni, dwalsh, grepl.miroslav, lprosseda, lvrabec, mathieu-acct, mmalik, omosnace, pkoncity, vmojzis, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-21 09:54:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This seems to affect other Things depending on selinux as well. For example flatpak upgrade failed with: Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer. Warning: Could not activate remote peer. Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer. Error: Could not activate remote peer. Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer. Warning: Could not activate remote peer. Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer. Error: Could not activate remote peer. When Selinux was disabled it worked again Please update to selinux-policy-35.11-1 and let me know if the problems persist. I can confirm this fixes the issue for me (downloaded from the koji build server as packages are not yet available on repos) @Alessandro Bruni Hi, may I ask you to describe the procedure you attempted to obtain and install the RPM package selinux-policy-35.11-1 from the Koji build system website? I tried to get the 'noarch' variant directly ay the URL https://kojipkgs.fedoraproject.org//packages/selinux-policy/35.11/1.fc35/noarch/selinux-policy-35.11-1.fc35.noarch.rpm, then I launched dnf to install it with the following command: dnf install ./selinux-policy-35.11-1.fc35.noarch.rpm However, the installation fails on a missing dependency, that I am not able to find on the Koji website, nor on the testing repositories for Fedora: Error: Problem: conflicting requests - nothing provides selinux-policy-any = 35.11-1.fc35 needed by selinux-policy-35.11-1.fc35.noarch (try to add '--skip-broken' to skip uninstallable packages) Thanks for the patience, I'm sure it will be useful to others to find a quick solution down here. Run rpm -qa selinux-policy* on your system and it'll tell you which others you need. Most likely targeted and another one I can't remember on top of my head. Files are here https://koji.fedoraproject.org/koji/buildinfo?buildID=1879547 (In reply to Mathieu Chouquet-Stringer from comment #5) > Run rpm -qa selinux-policy* on your system and it'll tell you which others > you need. > > Most likely targeted and another one I can't remember on top of my head. > > Files are here https://koji.fedoraproject.org/koji/buildinfo?buildID=1879547 By running the command you showed me, I see that I have the following packages installed: selinux-policy-35.10-1.fc35.noarch selinux-policy-targeted-35.10-1.fc35.noarch However, dnf and also rpm commands refuse to install both RPMs, because selinux-policy-targeted depends on selinux-policy, and selinux-policy depends on the "bogus" selinux-policy-any that I cannot get from anywhere. # dnf install ./selinux-policy-targeted-35.11-1.fc35.noarch.rpm Error: Problem: conflicting requests - nothing provides selinux-policy = 35.11-1.fc35 needed by selinux-policy-targeted-35.11-1.fc35.noarch (try to add '--skip-broken' to skip uninstallable packages) # dnf install ./selinux-policy-35.11-1.fc35.noarch.rpm Error: Problem: conflicting requests - nothing provides selinux-policy-any = 35.11-1.fc35 needed by selinux-policy-35.11-1.fc35.noarch (try to add '--skip-broken' to skip uninstallable packages) I can assume, based on the answers given above, that I'm the only one stuck on a dependency like this. You need to upgrade both at the same time, that's the only way to solve dependencies. IF package A depends on B and B on A..if you try to install A or B separately, that's not going to work. dnf upgrade selinux-policy*35.11* And you can see selinux-policy-targeted is provided the "any" package by running rpm -qp --provides selinux-policy-targeted-35.11-1.fc35.noarch.rpm. The way it works is selinux-policy requires a policy, because there are multiple ones, the policy packages provides the "any" policy so selinux-policy is happy... For instance selinux-policy-minimum also provides "any": %rpm -qp --provides selinux-policy-minimum-35.11-1.fc35.noarch.rpm config(selinux-policy-minimum) = 35.11-1.fc35 selinux-policy-any = 35.11-1.fc35 selinux-policy-minimum = 35.11-1.fc35 (In reply to Mathieu Chouquet-Stringer from comment #8) That makes sense and moreover it works as you described: (from the directory where I dowloaded both RPMs) # dnf upgrade selinux-policy*35.11* Dependencies resolved. =============================================================================================================================================================== Package Architecture Version Repository Size =============================================================================================================================================================== Upgrading: selinux-policy noarch 35.11-1.fc35 @commandline 70 k selinux-policy-targeted noarch 35.11-1.fc35 @commandline 6.4 M Transaction Summary =============================================================================================================================================================== Upgrade 2 Packages Total size: 6.4 M Is this ok [y/N]: After the installation I was able to run containers as root and non-root users: # podman run hello-world:latest Hello from Docker! Thanks @mathieu-acct for explaining the use of dnf package manager with local dependant RPMs I found that running sudo dnf downgrade selinux-policy rolling back to the previous version alleviated the issue until a fix / update hits the mirrors. @zpytela After installing the selinux-policy-35.11-1 the problem is fixed Thanks! I believe any problems like this should be resolved with selinux-policy-35.11-1.fc35 or newer. Downgrading to selinux-policy-35.9-1.fc35 is also a possible approach. I am going to close this BZ now, please let me know again or create a new bz in case of outstanding problems. *** This bug has been marked as a duplicate of bug 2042369 *** |
Description of problem: After doing a sudo dnf upgrade I'm no longer able to build or run containers with podman Disabling selinux alleviates the issue. Version-Release number of selected component (if applicable): How reproducible: 100% Steps to Reproduce: 1. podman run -ti ubuntu:latest echo "hello world" 2. Empty output Actual results: (no output is give it just exits to shell cleanly with 0 as exit code) Expected results: tomodachi@delacroix ~ $ podman run -ti ubuntu:latest echo "hello world" hello world Additional info: dnf history of upgraded packages that I suspect are the culprits. plz also check the scriptlet output error seen below. =============== Upgrade selinux-policy-35.10-1.fc35.noarch @updates Upgraded selinux-policy-35.9-1.fc35.noarch @@System Upgrade selinux-policy-targeted-35.10-1.fc35.noarch @updates Upgraded selinux-policy-targeted-35.9-1.fc35.noarch @@System Upgrade strace-5.16-1.fc35.x86_64 @updates Upgraded strace-5.15-1.fc35.x86_64 @@System Scriptlet output: 1 Problems processing filecon rules 2 Failed post db handling 3 Post process failed 4 /usr/sbin/semodule: Failed! ====== tomodachi@delacroix ~ $ uname -a Linux delacroix 5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux