RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1677199 - Fail to obtain the transaction lock after change of SELinux policy type
Summary: Fail to obtain the transaction lock after change of SELinux policy type
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: dnf
Version: 8.0
Hardware: All
OS: Linux
Target Milestone: rc
: 8.0
Assignee: Marek Blaha
QA Contact: Karel Srot
Depends On: 1641631
TreeView+ depends on / blocked
Reported: 2019-02-14 09:18 UTC by Lukas Vrabec
Modified: 2022-05-23 19:00 UTC (History)
10 users (show)

Fixed In Version: dnf-4.2.7-3.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-11-05 22:21:12 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 6960429 0 None None None 2022-05-23 19:00:16 UTC
Red Hat Product Errata RHSA-2019:3583 0 None None None 2019-11-05 22:21:20 UTC

Description Lukas Vrabec 2019-02-14 09:18:30 UTC
Description of problem:
selinux-policy-targeted is default SELinux policy type on RHEL8. If I change one line in config file "/etc/selinux/config" from *SELINUXTYPE=targeted* to *SELINUXTYPE=minimum* and then I try to install corresponding selinux-policy package with this type of policy (selinux-policy-minumum), I get: 

# dnf install selinux-policy-minimum
Updating Subscription Management repositories.
Unable to read consumer identity
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Last metadata expiration check: 0:02:30 ago on Thu 14 Feb 2019 09:50:29 AM CET.
Dependencies resolved.
 Package                           Arch              Version                     Repository         Size
 selinux-policy-minimum            noarch            3.14.1-59.el8               BaseOS             13 M

Transaction Summary
Install  1 Package

Total download size: 13 M
Installed size: 33 M
Is this ok [y/N]: y
Downloading Packages:
selinux-policy-minimum-3.14.1-59.el8.noarch.rpm                          842 kB/s |  13 MB     00:15    
Total                                                                    842 kB/s |  13 MB     00:15     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Failed to obtain the transaction lock (logged in as: root).
The downloaded packages were saved in cache until the next successful transaction.
You can remove cached packages by executing 'dnf clean packages'.
Error: Could not run transaction.

I know, that It doesn't need to make sense that I change some configuration in SELinux and after that I'm trying to install some packages related to this change, but it worked on RHEL7 with warning msg in yum:

Downloading packages:
selinux-policy-minimum-3.13.1-236.el7.noarch.rpm                                  | 6.9 MB  00:00:04     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
warning: Failed to open SELinux handle.
  Installing : selinux-policy-minimum-3.13.1-236.el7.noarch                                          1/1 
  Verifying  : selinux-policy-minimum-3.13.1-236.el7.noarch                                          1/1 

  selinux-policy-minimum.noarch 0:3.13.1-236.el7                                                         


It looks there is some implementation difference in dnf and yum. Fedora Rawhide/29 is also affected.

Version-Release number of selected component (if applicable):

How reproducible:

Actual results:
dnf is broken (unable to install any package in system) after type change in /etc/selinux/config. 

Expected results:
It will be possible or at least there will be some meaningful error msg that dnf cannot open SELinux handle and admin should fix it. 

Additional info:
I'm part of SELinux team and we can help you with this bug, however I'm not sure whats happening under the dnf hood.

Comment 1 Panu Matilainen 2019-02-14 09:37:00 UTC
Um, Lukas: this is exactly the same thing as bug 1641631, it's just that dnf masks the more detailed error coming from rpm. See but https://bugzilla.redhat.com/show_bug.cgi?id=1641631#c16 in particular. Here you're just creating the same mismatch in different order, results in selinux_file_context_path() returning a path to non-existent file.

The only thing that dnf is guilty of here is the misleading error message.

Comment 2 Jaroslav Mracek 2019-02-19 15:53:07 UTC
Please can we get some additional information from RPM for the issue or did you only suggest to improve error messages? Any example is welcome.

Comment 3 Panu Matilainen 2019-02-20 07:13:08 UTC
The problem here is that rpm logs a more detailed error message [*] but dnf swallows it. Very similar to what happens in bug 1658292 - the overall theme is that dnf is a bit too eager to hide away anything coming from rpm level. 

There are any number of things that can go wrong here, obtaining the transaction lock is just one of them. Dnf shouldn't go guessing what rpm is trying to do here and just let those errors through.

[*] The rpm message in question from the selinux plugin is not that great in this situation either, but it does at least hint at selinux as the culprit. I improved it upstream and we need to get it into rhel-8 rpm, but that's not of much use as long as dnf masks it.

Comment 9 errata-xmlrpc 2019-11-05 22:21:12 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.