Bug 2051012
| Summary: | [RHEL 9 Beta] can't update flatpak with "error: Plugin selinux: hook fsm_file_prepare failed". | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | rcheerla |
| Component: | flatpak | Assignee: | Debarshi Ray <debarshir> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Martin Krajnak <mkrajnak> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 9.0 | CC: | cww, jcastran, maros, ossman, peter.hutterer, pizzadudedotca, pschindl, samuel, sbarcomb, tpelka, tpopela, zpytela |
| Target Milestone: | rc | Flags: | pm-rhel:
mirror+
|
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http// | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-07-22 12:50:07 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2010412 | ||
|
Description
rcheerla
2022-02-05 18:20:35 UTC
Hello Team, I am suspecting some issue with the selinux context causing this issue. Here is the complete error report. ~~~~~~~~~ Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373 Failed to resolve AST /usr/sbin/semodule: Failed! Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373 Failed to resolve AST /usr/sbin/semodule: Failed! Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373 Failed to resolve AST /usr/sbin/semodule: Failed! Running scriptlet: flatpak-1.10.7-1.el9.x86_64 319/902 Upgrading : flatpak-1.10.7-1.el9.x86_64 319/902 error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61fe3cc4, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package flatpak-1.10.7-1.el9.x86_64 Upgrading : python3-libcomps-0.1.18-1.el9.x86_64 320/902 error: unpacking of archive failed on file /usr/libexec/flatpak-system-helper;61fe3cc4: cpio: (error 0x2) error: flatpak-1.10.7-1.el9.x86_64: install failed ***** Running transaction Preparing : 1/1 Running scriptlet: flatpak-1.10.7-1.el9.x86_64 1/2 Upgrading : flatpak-1.10.7-1.el9.x86_64 1/2 error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61fea86c, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package flatpak-1.10.7-1.el9.x86_64 Verifying : flatpak-1.10.7-1.el9.x86_64 1/2 Verifying : flatpak-1.10.2-6.el9.x86_64 2/2 Installed products updated. Failed: flatpak-1.10.2-6.el9.x86_64 flatpak-1.10.7-1.el9.x86_64 Error: Transaction failed ~~~~~~~~~~ Still reproducible after removing the existing flatpak and trying to install it again. Regards, Raju Are you missing a selinux-policy update? This looks the same as what we recently saw in Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1871337#c4 Unfortunately, I don't understand SELinux enough to be able to comprehend the difference between selinux-policy-35.11-1.fc35 and selinux-policy-35.10-1.fc35 from Fedora's dist-git logs. (In reply to Debarshi Ray from comment #2) > Are you missing a selinux-policy update? Nope, It was updated to selinux-policy-34.1.23-1.el9.noarch from selinux-policy-34.1.16-1.el9_b.noarch In the latest nightly build I could see "selinux-policy-34.1.23-1.el9.noarch" is the latest one. Hey Zdenek! Do you have any idea about this? Does this bug really need to stay private? (In reply to Debarshi Ray from comment #4) > Hey Zdenek! Do you have any idea about this? Does this still happen with all packages updated? Were container-selinux or some other packages with their own selinux policy installed? $ rpm -qa "*selinux*" Just updated a test box that's been sitting unused for a while and trying to update from flatpak-1.10.2-6.el9.x86_64 to flatpak-1.10.7-1.el9.x86_64 fails with error: lsetfilecon: (/usr/libexec/flatpak-system-helper;6209eafb, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed This is with all other packages successfully updated from http://download.devel.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/ as of Feb 09 2022 $ rpm -qa "*selinux*" container-selinux-2.167.0-1.module+el9beta+12444+200de489.noarch libselinux-3.3-2.el9.x86_64 libselinux-utils-3.3-2.el9.x86_64 rpm-plugin-selinux-4.16.1.3-10.el9.x86_64 selinux-policy-34.1.24-1.el9.noarch selinux-policy-targeted-34.1.24-1.el9.noarch python3-libselinux-3.3-2.el9.x86_64 flatpak-selinux-1.10.7-1.el9.noarch Otherwise this is a pretty vanilla test box. hmm this is weird I am probably on the same list of packages, but my machine is active pretty much from early stages of RHEL9-ALPHA, I will try this on vanilla machine and let you guys know. $ rpm -qa "*selinux*" container-selinux-2.167.0-1.module+el9.0.0+12467+378c8264.noarch libselinux-3.3-2.el9.x86_64 libselinux-utils-3.3-2.el9.x86_64 python3-libselinux-3.3-2.el9.x86_64 tigervnc-selinux-1.11.0-20.el9.noarch libselinux-devel-3.3-2.el9.x86_64 flatpak-selinux-1.10.7-1.el9.noarch libselinux-debugsource-3.3-2.el9.x86_64 libselinux-debuginfo-3.3-2.el9.x86_64 rpm-plugin-selinux-4.16.1.3-10.el9.x86_64 selinux-policy-34.1.24-1.el9.noarch (In reply to Debarshi Ray from comment #5) > Does this bug really need to stay private? Nope I believe, if needed please make it public. (In reply to rcheerla from comment #9) > (In reply to Debarshi Ray from comment #5) > > Does this bug really need to stay private? > > Nope I believe, if needed please make it public. Ok, done. This bug is affecting us. It hits us right after a doing a dnf upgrade on fresh install of RHEL9 Beta. We are a RedHat partner and need to test our software on RHEL9 Beta before it goes GA. Uninstalling podman to get rid of container-selinux works as a workaround for the moment. Setting selinux to permissive also allows the update to complete. # setenforce 0 # yum update flatpak -y I have the same issue, but on Fedora 36 beta. We're still seeing issues with this on the RHEL 9 beta after installing upgrades. A freshly installed RHEL 9 beta VM works fine, but after running "dnf upgrade" the issues start happening. What's the status on this? And what can we do to work around the issue at the moment? Not being able to install updates is not very nice. I just installed the Beta compose RHEL-9.0.0-20211026.10 and I update all the way to RHEL-9.0.0-20220424.1, so the flatpak is updated as follows: flatpak-1.10.2-6.el9.x86_64 -> flatpak-1.12.5-2.el9_0.x86_64 and without errors. I believe that the error is harmless since we were deleting the fedora-repos.service file in meantime: Running scriptlet: flatpak-1.10.2-6.el9.x86_64 638/1218 Failed to set unit properties on flatpak-add-fedora-repos.service: Unit flatpak-add-fedora-repos.service not found So my guess is that we don't have other option that it will be Fixed in GA. Please correct me if I am wrong. I see the same issue on the proper Fedora 36 release as well. This seems to work on RHEL 9 GA. Has this been fixed and this bugzilla entry was overlooked? (In reply to Pierre Ossman from comment #18) > This seems to work on RHEL 9 GA. Has this been fixed and this bugzilla entry > was overlooked? Hello Pierre, we thought that it will be fixed as I mentioned in Comment 16 (I made it public just now), where I tested it with pre-GA builds, but at this bug is affected by customers I wanted to wait for confirmation. Thanks for providing one for us :). Closing as per https://bugzilla.redhat.com/show_bug.cgi?id=2051012#c19 Many thanks for mopping this one up, Tomáš! |