Description of problem: Fail during update to selinux-policy-3.12.1-119.fc20 Updating : selinux-policy-3.12.1-119.fc20.noarch 22/532 /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /var/lib/ipa/pki-ca/publish(/.*)? (system_u:object_r:pki_tomcat_cert_t:s0 and system_u:object_r:cert_t:s0). /etc/selinux/targeted/contexts/files/file_contexts: Invalid argument libsemanage.semanage_install_active: setfiles returned error code 1. semodule: Failed! Version-Release number of selected component (if applicable): selinux-policy-3.12.1-119.fc20 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
How did that happen? Do you have freeipa-server-selinux package installed? It should have been removed when freeipa-server >= 3.3.0 is installed.
freeipa-server-selinux package isn't installed. freeipa-server-3.3.3-2.fc20 package is currently installed. I upgraded from F18 to F20 about one month ago using fedup. Maybe this is a problem .
I wonder if this issue was only caused by a wrong order of updates (updates selinux-policy with FreeIPA rules and still-not-removed freeipa-server-selinux). Does that error still appear when you reinstall selinux-policy-3.12.1-119.fc20? Do you see any FreeIPA-related AVC in your env?
Yes, I still see error when selinux-policy is reinstalled. I don't see any FreeIPA-related AVC. Ausearch shows only one issue connected to ipa type=SERVICE_START msg=audit(1390815365.866:390): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="ipa" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
Miroslav, any SELinux advise how to debug this issue? David, would # semodule -l | grep ipa show anything interesting? Maybe the old FreeIPA SELinux module got stuck there.
semodule -l | grep ipa ipa 1.0.0 ipa_dogtag 2.0 ipa_httpd 2.0
Looks like FreeIPA %postun scriptlet was not run during upgrade: %postun server-selinux semodule -s targeted -r ipa_httpd ipa_dogtag . %{_sysconfdir}/selinux/config FILE_CONTEXT=%{_sysconfdir}/selinux/targeted/contexts/files/file_contexts selinuxenabled if [ $? == 0 -a "${SELINUXTYPE}" == targeted -a -f ${FILE_CONTEXT}.%{name} ]; then fixfiles -C ${FILE_CONTEXT}.%{name} restore rm -f ${FILE_CONTEXT}.%name fi This should be amended by running # semodule -s targeted -r ipa_httpd ipa_dogtag # fixfiles relabel # reboot
Yes, an upgrade issue.
Yes. I am closing this bug as a duplicate to Bug 989094 where we already track fedup upgrade issues. It apparently does not run RPM scriptlets thus causing issues like this one. *** This bug has been marked as a duplicate of bug 989094 ***