Bug 2326348

Summary: Lots of "Could not set context for /var/lib/selinux/targeted/tmp/modules/...: Operation not supported" messages when building image mode images
Product: [Fedora] Fedora Reporter: Jonathan Lebon <jlebon>
Component: libsemanageAssignee: Vit Mojzis <vmojzis>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dustymabe, dwalsh, lvrabec, mmalik, plautrba, vmojzis, walters
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-12-19 19:22:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jonathan Lebon 2024-11-14 20:24:21 UTC 
To reproduce, build any tier for rawhide from the base-images repo (https://gitlab.com/fedora/bootc/base-images). E.g.:

```
$ podman build --security-opt=label=disable --cap-add=all   --device /dev/fuse -t quay.io/jlebon/fedora-bootc:tier-x . --build-arg MANIFEST=fedora-tier-x.yaml --from quay.io/fedora/fedora:rawhide
...
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas/lang_ext:  Operation not supported
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtas:  Operation not supported
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/cil:  Operation not supported
passt-selinux.post: Could not set context for /etc/selinux/targeted/tmp/modules/100/rtkit/hll:  Operation not supported
...
Could not set context for /etc/selinux/targeted/tmp/commit_num:  Operation not supported
Could not set context for /etc/selinux/targeted/tmp/file_contexts:  Operation not supported
Could not set context for /etc/selinux/targeted/tmp/file_contexts.homedirs:  Operation not supported
```

https://src.fedoraproject.org/rpms/selinux-policy/pull-request/480 fixed it for selinux-policy-targeted itself, but basically any package that installs SELinux modules would need to do the same change. As well, recompiling the policy (like rpm-ostree does during the compose) triggers the warnings. Which I think overall argues for fixing the tooling itself to not warn.

See also https://gitlab.com/fedora/bootc/tracker/-/issues/45

Reproducible: Always
Comment 1 Jonathan Lebon 2024-11-14 20:26:54 UTC 
Also, squashing stderr entirely means that meaningful errors can no longer be seen during the compose.
Comment 2 Petr Lautrbach 2024-11-15 12:07:57 UTC 
Relevant upstream link - https://lore.kernel.org/selinux/CAEjxPJ4bQZeZzLGdk0HPFPkm4uob7oHB7sygyXQo2km9BAK5Xg@mail.gmail.com/
Comment 3 Petr Lautrbach 2024-12-19 19:22:53 UTC 
https://bodhi.fedoraproject.org/updates/FEDORA-2024-8d3c6746d3