Bug 2071206

Summary: Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786
Product: [Fedora] Fedora Reporter: Knut J BJuland <knutjbj>
Component: osbuildAssignee: Ondřej Budai <obudai>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 36CC: akoutsou, ckellner, dwalsh, fzdarsky, grepl.miroslav, lemonzest, lueberni, lvrabec, mmalik, obudai, omosnace, osbuilders, pkoncity, ssteinbe, tgunders, tlavocat, user-cont-team+packit-fas, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: osbuild-54-2.fc35 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-26 07:30:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2056303    

Description Knut J BJuland 2022-04-02 07:20:08 UTC 
Description of problem:
Running transaction
  Preparing        :                                                                                                                  1/1 
  Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch                                                                        1/2 
  Reinstalling     : container-selinux-2:2.181.0-1.fc36.noarch                                                                        1/2 
  Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch                                                                        1/2 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/osbuild/cil:127
Failed to resolve AST
/usr/sbin/semodule:  Failed!
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:container_var_lib_t:s0

Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265
Failed to resolve AST
semodule:  Failed!

  Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch                                                                        2/2 
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265
Failed to resolve AST
semodule:  Failed!


Version-Release number of selected component (if applicable):


How reproducible:

eevery time

Steps to Reproduce:
1. sudo dnf -y reinstall container-selinux
2.
3.

Actual results:
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/osbuild/cil:127
Failed to resolve AST
/usr/sbin/semodule:  Failed!
/etc/selinux/targeted/contexts/files/file_contexts:  invalid context system_u:object_r:container_var_lib_t:s0

Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265
Failed to resolve AST
semodule:  Failed!

  Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch                           

Expected results:

reinstall
Additional info:

sudo dnf update

Running transaction
  Preparing        :                                                                                                                  1/1 
  Running scriptlet: osbuild-53-1.fc36.noarch                                                                                        1/24 
  Upgrading        : osbuild-53-1.fc36.noarch                                                                                        1/24 
error: lsetfilecon: (/usr/bin/osbuild;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package osbuild-53-1.fc36.noarch
  Upgrading        : crun-1.4.4-1.fc36.x86_64                                                                                        2/24 
error: unpacking of archive failed on file /usr/bin/osbuild;6247f8f4: cpio: (error 0x2)
error: osbuild-53-1.fc36.noarch: install failed
error: lsetfilecon: (/usr/bin/crun;6247f8f4, system_u:object_r:container_runtime_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package crun-1.4.4-1.fc36.x86_64
  Upgrading        : containers-common-4:1-53.fc36.noarch                                                                            3/24 
error: unpacking of archive failed on file /usr/bin/crun;6247f8f4: cpio: (error 0x2)
error: crun-1.4.4-1.fc36.x86_64: install failed
error: lsetfilecon: (/var/lib/containers/sigstore, system_u:object_r:container_var_lib_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package containers-common-4:1-53.fc36.noarch
  Upgrading        : conmon-2:2.1.0-2.fc36.x86_64                                                                                    4/24 
error: unpacking of archive failed on file /var/lib/containers/sigstore: cpio: (error 0x2)
error: containers-common-4:1-53.fc36.noarch: install failed
error: lsetfilecon: (/usr/bin/conmon;6247f8f4, system_u:object_r:conmon_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package conmon-2:2.1.0-2.fc36.x86_64
  Upgrading        : podman-3:4.0.2-1.fc36.x86_64                                                                                    5/24 
error: unpacking of archive failed on file /usr/bin/conmon;6247f8f4: cpio: (error 0x2)
error: conmon-2:2.1.0-2.fc36.x86_64: install failed
error: lsetfilecon: (/usr/bin/podman;6247f8f4, system_u:object_r:container_runtime_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package podman-3:4.0.2-1.fc36.x86_64
  Upgrading        : osbuild-luks2-53-1.fc36.noarch                                                                                  6/24 
error: unpacking of archive failed on file /usr/bin/podman;6247f8f4: cpio: (error 0x2)
error: podman-3:4.0.2-1.fc36.x86_64: install failed
error: lsetfilecon: (/usr/lib/osbuild/stages/org.osbuild.crypttab;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package osbuild-luks2-53-1.fc36.noarch
  Upgrading        : osbuild-lvm2-53-1.fc36.noarch                                                                                   7/24 
error: unpacking of archive failed on file /usr/lib/osbuild/stages/org.osbuild.crypttab;6247f8f4: cpio: (error 0x2)
error: osbuild-luks2-53-1.fc36.noarch: install failed
error: lsetfilecon: (/usr/lib/osbuild/stages/org.osbuild.lvm2.create;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package osbuild-lvm2-53-1.fc36.noarch
  Upgrading        : osbuild-ostree-53-1.fc36.noarch                                                                                 8/24 
error: unpacking of archive failed on file /usr/lib/osbuild/stages/org.osbuild.lvm2.create;6247f8f4: cpio: (error 0x2)
error: osbuild-lvm2-53-1.fc36.noarch: install failed
error: lsetfilecon: (/usr/lib/osbuild/assemblers/org.osbuild.ostree.commit;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package osbuild-ostree-53-1.fc36.noarch
  Upgrading        : runc-2:1.1.1-1.fc36.x86_64                                                                                      9/24 
error: unpacking of archive failed on file /usr/lib/osbuild/assemblers/org.osbuild.ostree.commit;6247f8f4: cpio: (error 0x2)
error: osbuild-ostree-53-1.fc36.noarch: install failed
error: lsetfilecon: (/usr/bin/runc;6247f8f4, system_u:object_r:container_runtime_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package runc-2:1.1.1-1.fc36.x86_64
  Upgrading        : swtpm-0.7.2-1.20220307git21c90c1.fc36.x86_64                                                                   10/24 
error: unpacking of archive failed on file /usr/bin/runc;6247f8f4: cpio: (error 0x2)
error: runc-2:1.1.1-1.fc36.x86_64: install failed
error: lsetfilecon: (/usr/bin/swtpm;6247f8f4, system_u:object_r:swtpm_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package swtpm-0.7.2-1.20220307git21c90c1.fc36.x86_64
  Upgrading        : snapd-2.54.4-1.fc36.x86_64                                                                                     11/24 
error: unpacking of archive failed on file /usr/bin/swtpm;6247f8f4: cpio: (error 0x2)
error: swtpm-0.7.2-1.20220307git21c90c1.fc36.x86_64: install failed
error: lsetfilecon: (/etc/sysconfig/snapd;6247f8f4, system_u:object_r:snappy_config_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package snapd-2.54.4-1.fc36.x86_64
Comment 1 Zdenek Pytela 2022-04-04 09:04:27 UTC 
Knut,

Can you list all installed custom modules?

  # semodule -lfull | grep -v ^100
  # rpm -qa "*-selinux"

Did you make some customizations to the SELinux policy?
Comment 2 Simon Putt 2022-04-05 09:45:52 UTC 
https://bugzilla.redhat.com/show_bug.cgi?id=2071939

Same issue I'm having here
Comment 3 Simon Putt 2022-04-05 10:09:11 UTC 
[    9.756776] SELinux:  Context system_u:object_r:container_unit_file_t:s0 is not valid (left unmapped).
[   33.125507] SELinux:  Context system_u:object_r:container_var_lib_t:s0 is not valid (left unmapped).
[   33.213093] SELinux:  Context system_u:object_r:container_runtime_exec_t:s0 is not valid (left unmapped).
[   33.439133] SELinux:  Context system_u:object_r:tabrmd_exec_t:s0 is not valid (left unmapped).
[  161.776462] SELinux:  Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped).
[  161.945236] SELinux:  Context system_u:object_r:vnc_session_exec_t:s0 is not valid (left unmapped).
[  194.716357] SELinux:  Context system_u:object_r:container_log_t:s0 is not valid (left unmapped).
[  287.313712] SELinux:  Context unconfined_u:object_r:vnc_home_t:s0 is not valid (left unmapped).
[ 1518.845746] SELinux:  Context system_u:object_r:conmon_exec_t:s0 is not valid (left unmapped).
[ 1518.849016] SELinux:  Context system_u:object_r:swtpm_exec_t:s0 is not valid (left unmapped).
[ 1518.850845] SELinux:  Context system_u:object_r:osbuild_exec_t:s0 is not valid (left unmapped).
[ 1584.971276] SELinux:  Context system_u:object_r:container_config_t:s0 is not valid (left unmapped).
Comment 4 Knut J BJuland 2022-04-08 09:18:23 UTC 
I removed podman. When I reinstalled I got this error.

 Running scriptlet: container-selinux-2:2.181.0-2.fc36.noarch                                                                    1/15 
libsepol.context_from_record: type insights_client_var_lib_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:object_r:insights_client_var_lib_t:s0 to sid
invalid context system_u:object_r:insights_client_var_lib_t:s0
Failed to commit changes to booleans: Success
Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/osbuild/cil:127
Failed to resolve AST
/usr/sbin/semodule:  Failed!

Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265
Failed to resolve AST
semodule:  Failed!
Comment 5 Zdenek Pytela 2022-04-13 14:54:49 UTC 
Hi osbuild folks,

Every custom selinux module using directly or indirectly socket_class_set need to be rebuilt with

selinux-policy-35.17-1.fc35 
https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f

selinux-policy-34.27-1.fc34
https://bodhi.fedoraproject.org/updates/FEDORA-2022-eaef082697

to ensure these classes are not in use:
- bridge_socket
- ib_socket
- mpls_socket

Please do so before F36 GA.
Comment 6 Ondřej Budai 2022-04-13 18:14:40 UTC 
Hello Zdeněk,

happy to do it but it firstly needs to be in buildroot, right? We did fresh builds today actually but they picked the old version, see:

- https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078551
- https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078533

Is buildroot override fine for selinux-policy, or do we have to wait until the selinux-policy updates reach stable? What do you prefer?

Thanks,
Ondřej
Comment 7 Knut J BJuland 2022-04-14 08:59:35 UTC 
sudo semodule -lfull | grep -v ^100
400 pcpupstream           pp          
400 pcpupstream-container pp          
200 cockpit               pp          
200 container             pp          
200 flatpak               pp          
200 ipa                   pp          
200 mysql                 pp          
200 osbuild               pp          
200 smartmon              pp          
200 snappy                pp          
200 swtpm                 pp          
200 swtpm_svirt           pp         

rpm -qa "*-selinux"
dnfdaemon-selinux-0.3.20-8.fc36.noarch
rpm-plugin-selinux-4.17.0-10.fc36.x86_64
freeipa-selinux-4.9.8-3.fc36.noarch
mysql-selinux-1.0.4-4.fc36.noarch
pcp-selinux-5.3.7-1.fc36.x86_64
smartmontools-selinux-7.3-2.fc36.noarch
snapd-selinux-2.55.3-1.fc36.noarch
cockpit-selinux-267-1.fc36.noarch
osbuild-selinux-54-1.fc36.noarch
flatpak-selinux-1.12.7-2.fc36.noarch

Selinux have been modify by nvidia packages from rpmfusion.
Comment 8 Zdenek Pytela 2022-04-14 09:09:43 UTC 
(In reply to Ondřej Budai from comment #6)
> Hello Zdeněk,
> 
> happy to do it but it firstly needs to be in buildroot, right? We did fresh
> builds today actually but they picked the old version, see:
> 
> - https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078551
> - https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078533
Hello Ondřej,

I can't see it in the output, but I suppose you are right, both selinux-policy updates are awaiting karma based on community testing. The F35 build is expected be okay as there are only a few changes after the previous build.

> Is buildroot override fine for selinux-policy, or do we have to wait until
> the selinux-policy updates reach stable? What do you prefer?
We need to find a balance between having it tested enough and reaching F36 before GA. At this moment I'm closer to the buildroot override.
Comment 9 Fedora Update System 2022-04-15 10:59:27 UTC 
FEDORA-2022-c5bee6b70f has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f
Comment 10 Fedora Update System 2022-04-15 14:32:05 UTC 
FEDORA-2022-c5bee6b70f has been pushed to the Fedora 35 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-c5bee6b70f`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 11 Fedora Update System 2022-04-26 07:30:31 UTC 
FEDORA-2022-c5bee6b70f has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.