Bug 1058222 - Fail during update to selinux-policy-3.12.1-119.fc20
Summary: Fail during update to selinux-policy-3.12.1-119.fc20
Keywords:
Status: CLOSED DUPLICATE of bug 989094
Alias: None
Product: Fedora
Classification: Fedora
Component: freeipa
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-01-27 09:29 UTC by David Spurek
Modified: 2015-03-02 05:28 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-01-28 07:53:24 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description David Spurek 2014-01-27 09:29:05 UTC 
Description of problem:
Fail during update to selinux-policy-3.12.1-119.fc20

Updating   : selinux-policy-3.12.1-119.fc20.noarch                     22/532 
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/ipa/pki-ca/publish(/.*)?  (system_u:object_r:pki_tomcat_cert_t:s0 and system_u:object_r:cert_t:s0).
/etc/selinux/targeted/contexts/files/file_contexts: Invalid argument
libsemanage.semanage_install_active: setfiles returned error code 1.
semodule:  Failed!



Version-Release number of selected component (if applicable):
selinux-policy-3.12.1-119.fc20

How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 Martin Kosek 2014-01-27 14:35:10 UTC 
How did that happen? Do you have freeipa-server-selinux package installed? It should have been removed when freeipa-server >= 3.3.0 is installed.
Comment 2 David Spurek 2014-01-27 14:53:39 UTC 
freeipa-server-selinux package isn't installed. freeipa-server-3.3.3-2.fc20 package is currently installed. I upgraded from F18 to F20 about one month ago using fedup. Maybe this is a problem .
Comment 3 Martin Kosek 2014-01-27 15:21:51 UTC 
I wonder if this issue was only caused by a wrong order of updates (updates selinux-policy with FreeIPA rules and still-not-removed freeipa-server-selinux). Does that error still appear when you reinstall selinux-policy-3.12.1-119.fc20?

Do you see any FreeIPA-related AVC in your env?
Comment 4 David Spurek 2014-01-27 15:36:31 UTC 
Yes, I still see error when selinux-policy is reinstalled. I don't see any FreeIPA-related AVC. 

Ausearch shows only one issue connected to ipa
type=SERVICE_START msg=audit(1390815365.866:390): pid=1 uid=0 auid=4294967295 ses=4294967295  subj=system_u:system_r:init_t:s0 msg=' comm="ipa" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Comment 5 Martin Kosek 2014-01-27 15:59:49 UTC 
Miroslav, any SELinux advise how to debug this issue?

David, would

# semodule -l | grep ipa

show anything interesting? Maybe the old FreeIPA SELinux module got stuck there.
Comment 6 David Spurek 2014-01-27 16:13:20 UTC 
semodule -l | grep ipa
ipa	1.0.0	
ipa_dogtag	2.0	
ipa_httpd	2.0
Comment 7 Martin Kosek 2014-01-27 16:37:17 UTC 
Looks like FreeIPA %postun scriptlet was not run during upgrade:

%postun server-selinux
semodule -s targeted -r ipa_httpd ipa_dogtag
. %{_sysconfdir}/selinux/config
FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts
selinuxenabled
if [ $? == 0  -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then
       fixfiles -C ${FILE_CONTEXT}.%{name} restore
       rm -f ${FILE_CONTEXT}.%name
fi



This should be amended by running

# semodule -s targeted -r ipa_httpd ipa_dogtag
# fixfiles relabel
# reboot
Comment 8 Miroslav Grepl 2014-01-27 17:38:40 UTC 
Yes, an upgrade issue.
Comment 9 Martin Kosek 2014-01-28 07:53:24 UTC 
Yes. I am closing this bug as a duplicate to Bug 989094 where we already track fedup upgrade issues. It apparently does not run RPM scriptlets thus causing issues like this one.

*** This bug has been marked as a duplicate of bug 989094 ***
Note You need to log in before you can comment on or make changes to this bug.