1377932 – Upgrading RHELAH 7.2.6-1 to 7.3 results in error: fsetxattr: Invalid argument

Bug 1377932 - Upgrading RHELAH 7.2.6-1 to 7.3 results in error: fsetxattr: Invalid argument

Summary: Upgrading RHELAH 7.2.6-1 to 7.3 results in error: fsetxattr: Invalid argument

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	rpm-ostree-client
Sub Component:
Version:	7.3
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Colin Walters
QA Contact:	atomic-bugs@redhat.com
Docs Contact:	Yoana Ruseva
URL:
Whiteboard:
Duplicates (1):	1393994 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-09-21 04:58 UTC by Alex Jia
Modified:	2020-01-17 15:57 UTC (History)
CC List:	7 users (show)
Fixed In Version:	selinux-policy-3.13.1-63.atomic.el7.7
Doc Type:	Known Issue
Doc Text:	Cause: Attempting to upgrade from 7.2.6 to 7.3. Consequence: The upgrade fails with "error: fsetxattr: Invalid argument" Workaround (if any): There are three possible workarounds: 1) setenforce 0 atomic host upgrade 2) systemctl stop rpm-ostreed cp /usr/libexec/rpm-ostreed /usr/local/bin/rpm-ostreed chcon -t install_exec_t /usr/local/bin/rpm-ostreed /usr/local/bin/rpm-ostreed & atomic host upgrade 3) atomic host deploy 7.2.7 && systemctl reboot atomic host upgrade Result: The upgrade will work as expected.
Clone Of:
Environment:
Last Closed:	2016-09-22 17:10:35 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1340542	0	urgent	CLOSED	Need backported fix for install_exec_t (or rpm_exec_t) for rpm-ostreed	2021-02-22 00:41:40 UTC
Red Hat Bugzilla	1372792	0	unspecified	CLOSED	Backport selinux policy fix for install_t for rpm-ostree	2021-02-22 00:41:40 UTC

Internal Links: 1340542 1372792

Comment 4 Micah Abbott 2016-09-21 13:59:19 UTC

Unfortunately, anyone using a version of RHELAH before 7.2.7 is going to encounter this problem when upgrading to 7.3.

The only advice we can give to customers is to disable SELinux during the upgrade and then re-enable it after it completes.

See the BZ in the See Also field for more info - https://bugzilla.redhat.com/show_bug.cgi?id=1340542

Comment 5 Milos Malik 2016-09-21 14:07:07 UTC

Do you see any SELinux denials?

# ausearch -m avc -m selinux_err -i -ts today

Comment 6 Colin Walters 2016-09-21 14:38:49 UTC

There are several workarounds:

1) setenforce 0
   atomic host upgrade
2) systemctl stop rpm-ostreed
   cp /usr/libexec/rpm-ostreed /usr/local/bin/rpm-ostreed
   chcon -t install_exec_t /usr/local/bin/rpm-ostreed
   /usr/local/bin/rpm-ostreed &
   atomic host upgrade
3) atomic host deploy 7.2.7 && systemctl reboot
   atomic host upgrade

Comment 7 Alex Jia 2016-09-21 16:10:58 UTC

(In reply to Milos Malik from comment #5)
> Do you see any SELinux denials?
> 
> # ausearch -m avc -m selinux_err -i -ts today

Milos, there is no audit package is shipped in RHELAH, I will install it w/ unlock mode if need.

Comment 8 Alex Jia 2016-09-21 16:11:51 UTC

(In reply to Alex Jia from comment #7)
> (In reply to Milos Malik from comment #5)
> > Do you see any SELinux denials?
> > 
> > # ausearch -m avc -m selinux_err -i -ts today
> 
> Milos, there is no audit package is shipped in RHELAH, I will install it w/
> unlock mode if need.

But the SELinux doesn't work well w/ overlay filesystem.

Comment 9 Alex Jia 2016-09-21 16:52:49 UTC

(In reply to Alex Jia from comment #7)
> (In reply to Milos Malik from comment #5)
> > Do you see any SELinux denials?
> > 
> > # ausearch -m avc -m selinux_err -i -ts today
> 
> Milos, there is no audit package is shipped in RHELAH, I will install it w/
> unlock mode if need.

[cloud-user@atomic-host-001 ~]$ sudo ausearch -m avc -m selinux_err -i -ts today
----
type=SYSCALL msg=audit(09/21/2016 16:31:03.170:500) : arch=x86_64 syscall=fsetxattr success=no exit=EINVAL(Invalid argument) a0=0x31 a1=0x7f5ef5012f51 a2=0x7f5ef5012f62 a3=0x32 items=0 ppid=1 pid=13210 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pool exe=/usr/libexec/rpm-ostreed subj=system_u:system_r:unconfined_service_t:s0 key=(null) 
type=SELINUX_ERR msg=audit(09/21/2016 16:31:03.170:500) : op=setxattr invalid_context=system_u:object_r:systemd_machined_unit_file_t:s0 
type=AVC msg=audit(09/21/2016 16:31:03.170:500) : avc:  denied  { mac_admin } for  pid=13210 comm=pool capability=mac_admin  scontext=system_u:system_r:unconfined_service_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=capability2

Comment 11 Micah Abbott 2016-09-22 15:32:19 UTC

The backported fix to 'selinux-policy' which was shipped in 7.2.7 will fix this error.  See https://bugzilla.redhat.com/show_bug.cgi?id=1372792


Customers not using the 7.2.7 release will have to use one of the workarounds described in the Doc Text field.

Comment 12 Colin Walters 2016-11-10 19:13:56 UTC

*** Bug 1393994 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.