Description of problem: Upgrade of container-selinux caused failures in scriptlets Version-Release number of selected component (if applicable): sh$ rpm -q container-selinux container-selinux-2.67-2.git042f7cf.fc29.noarch How reproducible: Deterministic Steps to Reproduce: 1. dnf update container-selinux Actual results: //upgrade contains Running scriptlet: container-selinux-2:2.67-2.git042f7cf.fc29.noarc 54/128 neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9194 (neverallow base_typeattr_7 unlabeled_t (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1580 (allow spc_t unlabeled_t (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866 (allow sandbox_x_domain exec_type (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1678 (allow virtd_lxc_t exec_type (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2069 (allow svirt_sandbox_domain exec_type (file (entrypoint))) Failed to generate binary /usr/sbin/semodule: Failed! Expected results: upgrade without any issue Additional info:
Update your version of libsemanage dnf update libsemanage dnf reinstall container-selinux
It did not help (And I already had latest libsemanage when I reported this bug) [root@host ~]# rpm -q libsemanage libsemanage-2.8-2.fc29.x86_64 [root@host ~]# dnf reinstall container-selinux Last metadata expiration check: 3:17:57 ago on Fri 13 Jul 2018 11:21:36 AM CEST. Dependencies resolved. ================================================================================ Package Arch Version Repository Size ================================================================================ Reinstalling: container-selinux noarch 2:2.67-2.git042f7cf.fc29 rawhide 43 k Transaction Summary ================================================================================ Total download size: 43 k Installed size: 37 k Is this ok [y/N]: y Downloading Packages: container-selinux-2.67-2.git042f7cf.fc29.noarch 142 kB/s | 43 kB 00:00 -------------------------------------------------------------------------------- Total 32 kB/s | 43 kB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Reinstalling : container-selinux-2:2.67-2.git042f7cf.fc29.noarch 1/2 Running scriptlet: container-selinux-2:2.67-2.git042f7cf.fc29.noarch 1/2 neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:9194 (neverallow base_typeattr_7 unlabeled_t (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1580 (allow spc_t unlabeled_t (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/sandboxX/cil:866 (allow sandbox_x_domain exec_type (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:1678 (allow virtd_lxc_t exec_type (file (entrypoint))) <root> allow at /var/lib/selinux/targeted/tmp/modules/100/virt/cil:2069 (allow svirt_sandbox_domain exec_type (file (entrypoint))) Failed to generate binary /usr/sbin/semodule: Failed! Running scriptlet: container-selinux-2:2.67-2.git042f7cf.fc29.noarch 2/2 Verifying : container-selinux-2:2.67-2.git042f7cf.fc29.noarch 1/2 Verifying : container-selinux-2:2.67-2.git042f7cf.fc29.noarch 2/2 Reinstalled: container-selinux-2:2.67-2.git042f7cf.fc29.noarch Complete!
This is a problem in libsemanage then. You can fix it simply by editing the /etc/selinux/semanage.conf file and changing the expand-check value to 0. expand-check=0 This should not be turned on in Rawhide. It should only be turned on for selinux-policy builds.
This bug appears to have been reported against 'rawhide' during the Fedora 29 development cycle. Changing version to '29'.