Bug 2174592

Summary: rpmdb-migrate.service fails on upgrade to Fedora 38 due to SELinux denial
Product: [Fedora] Fedora Reporter: Adam Williamson <awilliam>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 38CC: dwalsh, lvrabec, mmalik, omosnacek, pkoncity, pmatilai, robatino, vmojzis, zpytela
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-01 22:28:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2083911, 2083912    

Description Adam Williamson 2023-03-01 22:25:42 UTC 
There's an openQA test which tests upgrades - it starts from a clean install of the Workstation edition of the previous release, then upgrades to the release under test. There's a follow-up test which checks that all services started successfully.

Since Fedora-38-20230218.n.0 that test has been failing for F38, because the service `rpmdb-migrate.service` fails. The logs show this:

Mar 01 05:31:11 fedora systemd[1]: Starting rpmdb-migrate.service - RPM database migration to /usr...
Mar 01 05:31:11 fedora systemd[1]: rpmdb-rebuild.service - RPM database rebuild was skipped because of an unmet condition check (ConditionPathExists=/usr/lib/sysimage/rpm/.rebuilddb).
Mar 01 05:31:11 fedora systemd[1]: systemd-pcrphase-sysinit.service - TPM2 PCR Barrier (Initialization) was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
Mar 01 05:31:11 fedora audit[600]: AVC avc:  denied  { map } for  pid=600 comm="rpmdb_migrate" path="/usr/bin/bash" dev="vda3" ino=194594 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
Mar 01 05:31:11 fedora audit[600]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:rpmdb_t:s0 pid=600 comm="rpmdb_migrate" exe="/usr/bin/bash" sig=11 res=1
Mar 01 05:31:11 fedora audit: BPF prog-id=61 op=LOAD
Mar 01 05:31:11 fedora systemd[1]: Starting dbus-broker.service - D-Bus System Message Bus...
Mar 01 05:31:11 fedora systemd[1]: rpmdb-migrate.service: Main process exited, code=killed, status=11/SEGV
Mar 01 05:31:11 fedora systemd[1]: rpmdb-migrate.service: Failed with result 'signal'.
Mar 01 05:31:11 fedora systemd[1]: Failed to start rpmdb-migrate.service - RPM database migration to /usr.

that is, it seems to fail because the process crashes, which is likely caused by the SELinux denial:

Mar 01 05:31:11 fedora audit[600]: AVC avc:  denied  { map } for  pid=600 comm="rpmdb_migrate" path="/usr/bin/bash" dev="vda3" ino=194594 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

Proposing as a Final blocker as a violation of Final criterion "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present" together with Beta requirement "The upgraded system must meet all release criteria" - https://fedoraproject.org/wiki/Fedora_38_Beta_Release_Criteria#Upgrade_requirements and https://fedoraproject.org/wiki/Fedora_38_Final_Release_Criteria#System_services .
Comment 1 Adam Williamson 2023-03-01 22:26:15 UTC 
Also proposing as a Beta FE as it would be good to ensure this migration works correctly for upgrades performed during the Beta freeze.
Comment 2 Adam Williamson 2023-03-01 22:28:49 UTC 
Sorry, just noticed lruzicka already reported this.

*** This bug has been marked as a duplicate of bug 2173952 ***