Bug 1723118 - kickstart installation with GNOME and Xfce: DNF error in POSTIN scriplet of flatpak-selinux
Summary: kickstart installation with GNOME and Xfce: DNF error in POSTIN scriplet of f...
Alias: None
Product: Fedora
Classification: Fedora
Component: flatpak
Version: 30
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: David King
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2019-06-22 23:51 UTC by René Genz
Modified: 2019-07-04 18:44 UTC (History)
3 users (show)

Fixed In Version: flatpak-1.4.1-3.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-06-25 22:25:25 UTC
Type: Bug

Attachments (Terms of Use)
kickstart file (1.19 KB, text/plain)
2019-06-22 23:51 UTC, René Genz
no flags Details
a file from /tmp ; output of RPM packages (1.17 KB, text/plain)
2019-06-22 23:54 UTC, René Genz
no flags Details
the other log files from /tmp (181.70 KB, application/x-7z-compressed)
2019-06-22 23:57 UTC, René Genz
no flags Details
Protect sourcing of /etc/selinux/config (5.26 KB, patch)
2019-07-04 18:41 UTC, Terje Røsten
no flags Details | Diff

Description René Genz 2019-06-22 23:51:53 UTC
Created attachment 1583610 [details]
kickstart file

Description of problem:
Kickstart installation of either:
- @^xfce-desktop-environment  and   @workstation-product
- @^workstation-product-environment  and  @xfce-desktop
fails with text: Error in POSTIN scriptlet in rpm package flatpak-selinux

Leaving out the 2nd part works. Installing the 2nd part after installation is done works too.

I could not select 'flatpak-selinux' as component in this bugzilla, hence I used 'flatpak'.

Version-Release number of selected component (if applicable):

How reproducible:
easy, 100%

Steps to Reproduce:
0. upload WS_lbox178 somewhere
1. download https://download.fedoraproject.org/pub/fedora/linux/releases/30/Workstation/x86_64/iso/Fedora-Workstation-netinst-x86_64-30-1.2.iso
2. start computer with that ISO file
3. in Fedora menu press tab key and use this text and press enter:
vmlinuz initrd=initrd.img ks=http://path/to/WS_lbox178
4. wait for error message to appear

Actual results:
Installation aborts with text:

  The following error occurred while installing. This is a fatal error and
  installation will be aborted.

  DNF error: Error in POSTIN scriptlet in rpm package flatpak-selinux

Expected results:
installation should finish without problem or error message.
Like it did some weeks ago.

Additional info:
1) add "-flatpak-selinux" to %packages

2) use only "fedora" repository for installation; do not use "updates" repository

Comment 1 René Genz 2019-06-22 23:54:09 UTC
Created attachment 1583611 [details]
a file from /tmp ; output of RPM packages

Comment 2 René Genz 2019-06-22 23:57:23 UTC
Created attachment 1583612 [details]
the other log files from /tmp

Comment 3 René Genz 2019-06-23 00:18:09 UTC
for what it is worth: I tracked the installed packages; put their names in the kickstart file; disabled the groups in the kickstart file, enabled "@^minimal-environment", and started another installation.
The total number of packages was smaller than before. The installation finished without problems. The GNOME/Xfce combination is required to trigger the problem.

Comment 4 Terje Røsten 2019-06-25 19:23:24 UTC
I also got this error and I think I found the root cause.

flatpak-selinux has %post script:


 %selinux_modules_install %{_datadir}/selinux/packages/flatpak.pp.bz2

which expands to:

postinstall scriptlet (using /bin/sh):

. /etc/selinux/config 
if [ -z "${_policytype}" ]; then 
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then 
  /usr/sbin/semodule -n -s ${_policytype} -X 200 -i /usr/share/selinux/packages/flatpak.pp.bz2 
  /usr/sbin/selinuxenabled && /usr/sbin/load_policy || : 

The problem is that /etc/selinux/config is in 

$ rpm -qf  /etc/selinux/config

however flatpak-selinux have only weak requires like this:

Requires:       selinux-policy >= %{_selinux_policy_version}

however it must be the stronger  (note the extra post)

Requires(post):       selinux-policy >= %{_selinux_policy_version}

The problem can be seen in rpm db:

$ rpm -q --qf '%{name} %{INSTALLTIME}\n'  flatpak-selinux selinux-policy

flatpak-selinux 1561488293
selinux-policy  1561488294

selinux-policy is installed after flatpak-selinux

Comment 5 Terje Røsten 2019-07-04 18:41:33 UTC
Created attachment 1587455 [details]
Protect sourcing of /etc/selinux/config

Patch to protect all sourcing of /etc/selinux/config.

Comment 6 Terje Røsten 2019-07-04 18:44:38 UTC
Sorry, should be added to https://bugzilla.redhat.com/show_bug.cgi?id=1723940

Note You need to log in before you can comment on or make changes to this bug.