1531858 – On fully upgraded F27, can't install container-selinux

Bug 1531858 - On fully upgraded F27, can't install container-selinux

Summary: On fully upgraded F27, can't install container-selinux

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	container-selinux
Sub Component:
Version:	27
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Lokesh Mandvekar
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-06 08:21 UTC by Robin Powell
Modified:	2018-01-23 21:46 UTC (History)
CC List:	6 users (show)
Fixed In Version:	container-selinux-2.40-1.fc26 container-selinux-2.42-1.fc27
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-23 21:17:33 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Powell 2018-01-06 08:21:15 UTC

Starting state:

rlpowell@vrici> sudo dnf list installed '*selinux*'
Installed Packages
container-selinux.noarch                                                                                    2:2.37-1.fc27                                                                                    @updates
libselinux.x86_64                                                                                           2.7-3.fc27                                                                                       @updates
libselinux-devel.x86_64                                                                                     2.7-3.fc27                                                                                       @updates
libselinux-python.x86_64                                                                                    2.7-3.fc27                                                                                       @updates
libselinux-python3.x86_64                                                                                   2.7-3.fc27                                                                                       @updates
libselinux-ruby.x86_64                                                                                      2.7-3.fc27                                                                                       @updates
libselinux-utils.x86_64                                                                                     2.7-3.fc27                                                                                       @updates
rpm-plugin-selinux.x86_64                                                                                   4.14.0-2.fc27                                                                                    @fedora
selinux-policy.noarch                                                                                       3.13.1-283.19.fc27                                                                               @updates
selinux-policy-devel.noarch                                                                                 3.13.1-283.19.fc27                                                                               @updates
selinux-policy-doc.noarch                                                                                   3.13.1-283.19.fc27                                                                               @updates
selinux-policy-targeted.noarch                                                                              3.13.1-283.19.fc27                                                                               @updates

This host has unconfined disabled.  And:

rlpowell@vrici> sudo dnf reinstall container-selinux.noarch
Last metadata expiration check: 1:39:47 ago on Fri 05 Jan 2018 10:33:43 PM PST.
Dependencies resolved.
=====================================================================================================================================================================================================================
 Package                                                  Arch                                          Version                                                 Repository                                      Size
=====================================================================================================================================================================================================================
Reinstalling:
 container-selinux                                        noarch                                        2:2.37-1.fc27                                           updates                                         36 k

Transaction Summary
=====================================================================================================================================================================================================================

Total download size: 36 k
Is this ok [y/N]: y
Downloading Packages:
container-selinux-2.37-1.fc27.noarch.rpm                                                                                                                                              66 kB/s |  36 kB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                 32 kB/s |  36 kB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                             1/1
  Reinstalling     : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      1/2
  Running scriptlet: container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      1/2
Child type container_t exceeds bounds of parent container_runtime_t
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t container_file_t (chr_file (map execute)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1284
      (allow container_t container_file_t (chr_file (ioctl read getattr map execute open)))
  (allow container_t console_device_t (chr_file (read)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1191
      (allow container_domain console_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t tty_device_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1190
      (allow container_domain tty_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t xen_devpts_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1187
      (allow container_domain ptynode (chr_file (ioctl read write getattr lock append)))
  (allow container_t svirt_tcg_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t svirt_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t uml_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t telnetd_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t sandbox_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t rssh_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t rlogind_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t rhgb_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t pppd_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t openfortivpn_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t nx_server_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t ipsec_mgmt_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t games_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t ajaxterm_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
Failed to generate binary
/usr/sbin/semodule:  Failed!
  Erasing          : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      2/2
  Running scriptlet: container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      2/2
  Verifying        : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      1/2
  Verifying        : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      2/2

Reinstalled:
  container-selinux.noarch 2:2.37-1.fc27

Complete!

Comment 1 Daniel Walsh 2018-01-06 12:34:55 UTC

Fixed in  container-selinux-2.38-1.fc27

Comment 2 Robin Powell 2018-01-06 18:14:43 UTC

Not for me.  Downloaded the noarch from https://koji.fedoraproject.org/koji/buildinfo?buildID=1013878 and:


rlpowell@vrici> sudo dnf reinstall ./container-selinux-2.38-1.fc27.noarch.rpm
Last metadata expiration check: 2:07:28 ago on Sat 06 Jan 2018 08:06:25 AM PST.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                       Arch                               Version                                      Repository                                Size
==============================================================================================================================================================================
Reinstalling:
 container-selinux                             noarch                             2:2.38-1.fc27                                @commandline                              36 k

Transaction Summary
==============================================================================================================================================================================

Total size: 36 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                      1/1
  Reinstalling     : container-selinux-2:2.38-1.fc27.noarch                                                                                                               1/2
  Running scriptlet: container-selinux-2:2.38-1.fc27.noarch                                                                                                               1/2
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t console_device_t (chr_file (read)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1193
      (allow container_domain console_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t tty_device_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1192
      (allow container_domain tty_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t xen_devpts_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1189
      (allow container_domain ptynode (chr_file (ioctl read write getattr lock append)))

Comment 3 Robin Powell 2018-01-07 02:35:23 UTC

(that last output is incomplete; I didn't figure it mattered)

Comment 4 Daniel Walsh 2018-01-08 13:43:49 UTC

Nope, I will fix it in next release
Fixed in  container-selinux-2.39-1.fc27

Comment 5 Fedora Update System 2018-01-08 14:01:54 UTC

container-selinux-2.39-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2

Comment 6 Fedora Update System 2018-01-08 14:02:16 UTC

container-selinux-2.39-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9

Comment 7 Daniel Walsh 2018-01-08 14:13:46 UTC

Robin, this time I tried it out on my F27 box with unconfined disabled and it installed ok.

Comment 8 Robin Powell 2018-01-08 17:09:50 UTC

Confirmed, thanks!

Comment 9 Robin Powell 2018-01-08 17:31:49 UTC

Hmm.  Let me know if you want me to open a new bug for this, but:

rlpowell@vrici> sudo semanage dontaudit off
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t user_devpts_t (chr_file (open)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1199
      (allow container_domain user_devpts_t (chr_file (ioctl read write getattr lock append open)))
Failed to generate binary
OSError: [Errno 0] Error

Comment 10 Fedora Update System 2018-01-08 17:42:42 UTC

container-selinux-2.39-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2

Comment 11 Daniel Walsh 2018-01-08 18:09:54 UTC

Robin, you got that after the update?

Comment 12 Fedora Update System 2018-01-08 20:30:24 UTC

container-selinux-2.39-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9

Comment 13 Robin Powell 2018-01-09 06:22:42 UTC

Yes, that was after sudo dnf install ./container-selinux-2.39-1.fc27.noarch.rpm

Comment 14 Daniel Walsh 2018-01-09 14:32:22 UTC

Weird that the first compile/install did not find it.  I did see a boolean that would allow this access 
daemons_use_tty --> off

Fixed in container-selinux-2.40-1

Comment 15 Fedora Update System 2018-01-09 16:55:07 UTC

container-selinux-2.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3

Comment 16 Fedora Update System 2018-01-09 16:55:32 UTC

container-selinux-2.40-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd

Comment 17 Robin Powell 2018-01-10 01:25:35 UTC

Confirmed.  Thank you!

Comment 18 Fedora Update System 2018-01-10 15:53:58 UTC

container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd

Comment 19 Fedora Update System 2018-01-10 16:14:00 UTC

container-selinux-2.41-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3

Comment 20 Fedora Update System 2018-01-16 19:09:15 UTC

container-selinux-2.42-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1

Comment 21 Fedora Update System 2018-01-21 10:39:31 UTC

container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1

Comment 22 Fedora Update System 2018-01-23 21:17:33 UTC

container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 23 Fedora Update System 2018-01-23 21:46:38 UTC

container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.