RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1377932 - Upgrading RHELAH 7.2.6-1 to 7.3 results in error: fsetxattr: Invalid argument
Summary: Upgrading RHELAH 7.2.6-1 to 7.3 results in error: fsetxattr: Invalid argument
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: rpm-ostree-client
Version: 7.3
Hardware: x86_64
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Colin Walters
QA Contact: atomic-bugs@redhat.com
Yoana Ruseva
URL:
Whiteboard:
: 1393994 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-21 04:58 UTC by Alex Jia
Modified: 2020-01-17 15:57 UTC (History)
7 users (show)

Fixed In Version: selinux-policy-3.13.1-63.atomic.el7.7
Doc Type: Known Issue
Doc Text:
Cause: Attempting to upgrade from 7.2.6 to 7.3. Consequence: The upgrade fails with "error: fsetxattr: Invalid argument" Workaround (if any): There are three possible workarounds: 1) setenforce 0 atomic host upgrade 2) systemctl stop rpm-ostreed cp /usr/libexec/rpm-ostreed /usr/local/bin/rpm-ostreed chcon -t install_exec_t /usr/local/bin/rpm-ostreed /usr/local/bin/rpm-ostreed & atomic host upgrade 3) atomic host deploy 7.2.7 && systemctl reboot atomic host upgrade Result: The upgrade will work as expected.
Clone Of:
Environment:
Last Closed: 2016-09-22 17:10:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1340542 0 urgent CLOSED Need backported fix for install_exec_t (or rpm_exec_t) for rpm-ostreed 2021-02-22 00:41:40 UTC
Red Hat Bugzilla 1372792 0 unspecified CLOSED Backport selinux policy fix for install_t for rpm-ostree 2021-02-22 00:41:40 UTC

Internal Links: 1340542 1372792

Comment 4 Micah Abbott 2016-09-21 13:59:19 UTC 
Unfortunately, anyone using a version of RHELAH before 7.2.7 is going to encounter this problem when upgrading to 7.3.

The only advice we can give to customers is to disable SELinux during the upgrade and then re-enable it after it completes.

See the BZ in the See Also field for more info - https://bugzilla.redhat.com/show_bug.cgi?id=1340542
Comment 5 Milos Malik 2016-09-21 14:07:07 UTC 
Do you see any SELinux denials?

# ausearch -m avc -m selinux_err -i -ts today
Comment 6 Colin Walters 2016-09-21 14:38:49 UTC 
There are several workarounds:

1) setenforce 0
   atomic host upgrade
2) systemctl stop rpm-ostreed
   cp /usr/libexec/rpm-ostreed /usr/local/bin/rpm-ostreed
   chcon -t install_exec_t /usr/local/bin/rpm-ostreed
   /usr/local/bin/rpm-ostreed &
   atomic host upgrade
3) atomic host deploy 7.2.7 && systemctl reboot
   atomic host upgrade
Comment 7 Alex Jia 2016-09-21 16:10:58 UTC 
(In reply to Milos Malik from comment #5)
> Do you see any SELinux denials?
> 
> # ausearch -m avc -m selinux_err -i -ts today

Milos, there is no audit package is shipped in RHELAH, I will install it w/ unlock mode if need.
Comment 8 Alex Jia 2016-09-21 16:11:51 UTC 
(In reply to Alex Jia from comment #7)
> (In reply to Milos Malik from comment #5)
> > Do you see any SELinux denials?
> > 
> > # ausearch -m avc -m selinux_err -i -ts today
> 
> Milos, there is no audit package is shipped in RHELAH, I will install it w/
> unlock mode if need.

But the SELinux doesn't work well w/ overlay filesystem.
Comment 9 Alex Jia 2016-09-21 16:52:49 UTC 
(In reply to Alex Jia from comment #7)
> (In reply to Milos Malik from comment #5)
> > Do you see any SELinux denials?
> > 
> > # ausearch -m avc -m selinux_err -i -ts today
> 
> Milos, there is no audit package is shipped in RHELAH, I will install it w/
> unlock mode if need.

[cloud-user@atomic-host-001 ~]$ sudo ausearch -m avc -m selinux_err -i -ts today
----
type=SYSCALL msg=audit(09/21/2016 16:31:03.170:500) : arch=x86_64 syscall=fsetxattr success=no exit=EINVAL(Invalid argument) a0=0x31 a1=0x7f5ef5012f51 a2=0x7f5ef5012f62 a3=0x32 items=0 ppid=1 pid=13210 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pool exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(09/21/2016 16:31:03.170:500) : op=setxattr invalid_context=system_u:object_r:systemd_machined_unit_file_t:s0 
type=AVC msg=audit(09/21/2016 16:31:03.170:500) : avc:  denied  { mac_admin } for  pid=13210 comm=pool capability=mac_admin  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2
Comment 11 Micah Abbott 2016-09-22 15:32:19 UTC 
The backported fix to 'selinux-policy' which was shipped in 7.2.7 will fix this error.  See https://bugzilla.redhat.com/show_bug.cgi?id=1372792


Customers not using the 7.2.7 release will have to use one of the workarounds described in the Doc Text field.
Comment 12 Colin Walters 2016-11-10 19:13:56 UTC 
*** Bug 1393994 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.