1677199 – Fail to obtain the transaction lock after change of SELinux policy type

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1677199 - Fail to obtain the transaction lock after change of SELinux policy type

Summary: Fail to obtain the transaction lock after change of SELinux policy type

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	dnf
Sub Component:
Version:	8.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	rc
Target Release:	8.0
Assignee:	Marek Blaha
QA Contact:	Karel Srot
Docs Contact:
URL:
Whiteboard:
Depends On:	1641631
Blocks:
TreeView+	depends on / blocked

Reported:	2019-02-14 09:18 UTC by Lukas Vrabec
Modified:	2022-05-23 19:00 UTC (History)
CC List:	10 users (show)
Fixed In Version:	dnf-4.2.7-3.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-11-05 22:21:12 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	6960429	0	None	None	None	2022-05-23 19:00:16 UTC
Red Hat Product Errata	RHSA-2019:3583	0	None	None	None	2019-11-05 22:21:20 UTC

Description Lukas Vrabec 2019-02-14 09:18:30 UTC

Description of problem:
selinux-policy-targeted is default SELinux policy type on RHEL8. If I change one line in config file "/etc/selinux/config" from *SELINUXTYPE=targeted* to *SELINUXTYPE=minimum* and then I try to install corresponding selinux-policy package with this type of policy (selinux-policy-minumum), I get: 

# dnf install selinux-policy-minimum
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 0:02:30 ago on Thu 14 Feb 2019 09:50:29 AM CET.
Dependencies resolved.
=========================================================================================================
 Package                           Arch              Version                     Repository         Size
=========================================================================================================
Installing:
 selinux-policy-minimum            noarch            3.14.1-59.el8               BaseOS             13 M

Transaction Summary
=========================================================================================================
Install  1 Package

Total download size: 13 M
Installed size: 33 M
Is this ok [y/N]: y
Downloading Packages:
selinux-policy-minimum-3.14.1-59.el8.noarch.rpm                          842 kB/s |  13 MB     00:15    
---------------------------------------------------------------------------------------------------------
Total                                                                    842 kB/s |  13 MB     00:15     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Failed to obtain the transaction lock (logged in as: root).
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Could not run transaction.

I know, that It doesn't need to make sense that I change some configuration in SELinux and after that I'm trying to install some packages related to this change, but it worked on RHEL7 with warning msg in yum:

Downloading packages:
selinux-policy-minimum-3.13.1-236.el7.noarch.rpm                                  | 6.9 MB  00:00:04     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
warning: Failed to open SELinux handle.
  Installing : selinux-policy-minimum-3.13.1-236.el7.noarch                                          1/1 
  Verifying  : selinux-policy-minimum-3.13.1-236.el7.noarch                                          1/1 

Installed:
  selinux-policy-minimum.noarch 0:3.13.1-236.el7                                                         

Complete!

It looks there is some implementation difference in dnf and yum. Fedora Rawhide/29 is also affected.


Version-Release number of selected component (if applicable):
dnf-4.0.9.2-1.el8.noarch

How reproducible:
Always

Actual results:
dnf is broken (unable to install any package in system) after type change in /etc/selinux/config. 

Expected results:
It will be possible or at least there will be some meaningful error msg that dnf cannot open SELinux handle and admin should fix it. 

Additional info:
I'm part of SELinux team and we can help you with this bug, however I'm not sure whats happening under the dnf hood.

Comment 1 Panu Matilainen 2019-02-14 09:37:00 UTC

Um, Lukas: this is exactly the same thing as bug 1641631, it's just that dnf masks the more detailed error coming from rpm. See but https://bugzilla.redhat.com/show_bug.cgi?id=1641631#c16 in particular. Here you're just creating the same mismatch in different order, results in selinux_file_context_path() returning a path to non-existent file.

The only thing that dnf is guilty of here is the misleading error message.

Comment 2 Jaroslav Mracek 2019-02-19 15:53:07 UTC

Please can we get some additional information from RPM for the issue or did you only suggest to improve error messages? Any example is welcome.

Comment 3 Panu Matilainen 2019-02-20 07:13:08 UTC

The problem here is that rpm logs a more detailed error message [*] but dnf swallows it. Very similar to what happens in bug 1658292 - the overall theme is that dnf is a bit too eager to hide away anything coming from rpm level. 

There are any number of things that can go wrong here, obtaining the transaction lock is just one of them. Dnf shouldn't go guessing what rpm is trying to do here and just let those errors through.

[*] The rpm message in question from the selinux plugin is not that great in this situation either, but it does at least hint at selinux as the culprit. I improved it upstream and we need to get it into rhel-8 rpm, but that's not of much use as long as dnf masks it.

Comment 4 Marek Blaha 2019-07-03 11:17:13 UTC

PR: https://github.com/rpm-software-management/dnf/pull/1430

Comment 9 errata-xmlrpc 2019-11-05 22:21:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3583

Note You need to log in before you can comment on or make changes to this bug.