Description of problem: With the changes to selinux (docker-selinux -> container-selinux), and other recent changes, some packages that are installed with a yum update still break the cluster. The following packages seem to cause the issue: selinux-policy-devel-3.13.1-102.el7_3.7.noarch selinux-policy-targeted-3.13.1-102.el7_3.7.noarch selinux-policy-3.13.1-102.el7_3.7.noarch As soon as these were applied to the cluster, it went down because docker lost all of its SElinux labeling. By running: yum reinstall -y container-selinux; systemctl restart docker; systemctl restart atomic-openshift-node The labels were restored. I have marked this bug for the Installer in order to exclude the packages that break using atomic-openshift-excluder as the selinux issues should be fixed in bugs: [1] https://bugzilla.redhat.com/show_bug.cgi?id=1413536 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1411316 [3] https://bugzilla.redhat.com/show_bug.cgi?id=1413535
I'm closing this NOTABUG because it should always be safe to update to the latest selinux-policy and container-selinux and there are bugs open to address problems there. If the docker team decides that we need to exclude selinux-policy and container-selinux from updates we'll revisit this but I think that's an exceptionally risky proposition.
*** This bug has been marked as a duplicate of bug 1411316 ***
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days