Bug 2059590

Summary: selinux-policy scriptlet fails during upgrade
Product: Red Hat Enterprise Linux 9 Reporter: Richard W.M. Jones <rjones>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: lvrabec, mmalik, ssekidde
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-01 17:25:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Richard W.M. Jones 2022-03-01 12:27:21 UTC 
Description of problem:

  Upgrading        : selinux-policy-34.1.26-1.el9.noarch                115/663 
  Running scriptlet: selinux-policy-34.1.26-1.el9.noarch                115/663 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373
Failed to resolve AST
/usr/sbin/semodule:  Failed!

Version-Release number of selected component (if applicable):

old: selinux-policy-34.1.22-1.el9.noarch
new: selinux-policy-34.1.26-1.el9.noarch

How reproducible:

?

Steps to Reproduce:
1. Install selinux-policy-34.1.22-1.el9.noarch
2. Upgrade to selinux-policy-34.1.26-1.el9.noarch

Actual results:

See above.

Additional info:

It doesn't appear to have any negative effect on the machine
after the upgrade.  I have SELinux enforcing and nothing
appears to be broken.
Comment 1 Richard W.M. Jones 2022-03-01 12:29:50 UTC 
# rpm -qf /var/lib/selinux/targeted/tmp/modules/200/container/cil
file /var/lib/selinux/targeted/tmp/modules/200/container/cil is not owned by any package

# ls -l
total 48
-rw-------. 1 root root 14570 Mar  1 12:20 cil
-rw-------. 1 root root 25176 Mar  1 12:20 hll
-rw-------. 1 root root     2 Mar  1 12:20 lang_ext
Comment 2 Zdenek Pytela 2022-03-01 15:02:42 UTC 
Richard,

What is the container-selinux package version?

This is the latest one: container-selinux-2.178.0-1.el9
Comment 3 Richard W.M. Jones 2022-03-01 16:49:56 UTC 
Currently installed is:

$ rpm -q container-selinux
container-selinux-2.167.0-1.module+el9beta+12444+200de489.noarch

Looking through the dnf logs, that package has not been touched at
all (neither installed or upgraded) since the logs started on
2022-01-07.  Logs older than that have been rotated away.

I'm not sure how I ended up with that package installed originally.
Comment 4 Zdenek Pytela 2022-03-01 17:25:07 UTC 
Please update to the latest version of container-selinux.

*** This bug has been marked as a duplicate of bug 2039050 ***