Description of problem: via macro expand in spec file postinstall scriptlet (using /bin/sh): ends up like: postinstall scriptlet (using /bin/sh): . /etc/selinux/config; if [ -e /etc/selinux/targeted/.rebuild ]; then rm /etc/selinux/targeted/.rebuild; /usr/sbin/semodule -B -n -s targeted; fi; [ "${SELINUXTYPE}" == "targeted" ] && selinuxenabled && load_policy; if [ $1 -eq 1 ]; then /sbin/restorecon -R /root /var/log /run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null; else . /etc/selinux/config; FILE_CONTEXT=/etc/selinux/targeted/contexts/files/file_contexts; /usr/sbin/selinuxenabled; if [ $? = 0 -a "${SELINUXTYPE}" = targeted -a -f ${FILE_CONTEXT}.pre ]; then /sbin/fixfiles -C ${FILE_CONTEXT}.pre restore &> /dev/null > /dev/null; rm -f ${FILE_CONTEXT}.pre; fi; if /sbin/restorecon -e /run/media -R /root /var/log /var/run /etc/passwd* /etc/group* /etc/*shadow* 2> /dev/null;then continue; fi; fi; exit 0 This seems harmless and good, however /etc/selinux/config is shipped in selinux-policy, and selinux-policy-targeted has only: Requires: selinux-policy = %{version}-%{release} this must be changed to: Requires(post): selinux-policy = %{version}-%{release} such that selinux-policy is installed before selinux-policy-targeted (that's might be the case with a plain Requires). I tracked down similar problem in flatpak-selinux which used the %selinux_modules_install macro in post scripts (includes . /etc/selinux/config too), however had only Requires: selinux-policy. See: https://bugzilla.redhat.com/show_bug.cgi?id=1723118
Wow! The problem is deeper. For some horrible reason the most important config file in the area in SELinux: /etc/selinux/config it's not shipped as a regular file in the package, it's created by the %post script of selinux-policy. This is not a sane design. For starters it's not possible to have strict order of %post scripts in RPM, you can't say: run %post script for package A before %post script for package B in a package install transaction. Current design is in other words racy and can't be fixed by whatever RPM Requires/Requires(foo) statements. One solution is to add wrap all "source /etc/selinux/config" statements like this: if [ -e /etc/selinux/config ]; then source /etc/selinux/config fi ugly, however current design have no warranty /etc/selinux/config exists, hence all scripts must work without its presence.
See also: https://fedoraproject.org/wiki/Features/LimitScriptletUsage
Created attachment 1587456 [details] Protect sourcing of /etc/selinux/config /etc/selinux/config might be missing[1]: protect all scripts for this problem. Protection is required as a failure in scriptlet will cause havoc in a (possibly) large package set install or upgrade transactions. [1]: /etc/selinux/config is not shipped as a normal file, it's created by selinux-policy %post scriptlet. There no way for other packages to make sure their post scriptlets is run before selinux-policy post scriptlets is done executing. If selinux-policy is large and slow, creation of required file will be after other packages scripts needs it. With current design it's not possible to handle race condition without protection added here. "Solution" here is a just stop gap to reduce impact.
ping? I still hit this bug when installing Fedora 30 via kickstart. Can you at least merge the attached patch to reduce impact of the problem?
Ping?
PR: https://src.fedoraproject.org/rpms/selinux-policy/pull-request/21
Ok, so history repeats itself. Now I can't install Fedora 31 due to this problem, install fails with: DNF error: Error in POSTIN scriplet in rpm package flatpak-selinux See: http://web.phys.ntnu.no/~terjeros/selinux-makes-fedora-31-install-to-fail.png Is selinux-policy maintained in Fedora these days or should users avoid SELinux completely?
In packaging.log in the failed install I see: 20:21:35,246 ERR dnf.rpm: Error in POSTIN scriptlet in rpm package flatpak-selinux 20:21:35,674 ERR dnf.rpm: Error in POSTIN scriptlet in rpm package selinux-policy-targeted
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Sorry for the rant. Updated PR against master: https://src.fedoraproject.org/rpms/selinux-policy/pull-request/23 Tested on Fedora 31, works fine here.
Hi, Could you please create PR here: https://github.com/fedora-selinux/selinux-policy-macros ? We're trying to keep it in separate repository. Thank you.
So, to correct something: - the selinux-policy-base providers (-targeted, -mls, and -minimum) have: Requires(pre): selinux-policy = %{version}-%{release} ^^^ NOT post flatpak-selinux incorrectly has (PR in progess https://src.fedoraproject.org/rpms/flatpak/pull-request/5): Requries(post): selinux-policy instead of Requires(post): selinux-policy-base I'm still not entirely convinced that that creates a contract that selinux-policy's %post script will be run before the flatpak-selinux's %post script, but hopefully in practice it won't matter.
Hi Orion, PR merged, Thank you for flatpak issue please let's continue in different ticket. Thanks, Lukas.
Um, guys. Looking at the package dependencies: [root@lumikko-w ~]# rpm -qv --requires selinux-policy-targeted|grep selinux-policy config: config(selinux-policy-targeted) = 3.14.4-39.fc31 manual: selinux-policy = 3.14.4-39.fc31 pre: selinux-policy = 3.14.4-39.fc31 It's all there already. If selinux-policy-targeted is getting installed before selinux-policy despite this, there's a dependency loop tangle that needs unravelling, fiddling with pre/post does not make any difference.
Somebody should update version to 31.. (can't see how)
This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component.
This message is a reminder that Fedora 30 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 30 on 2020-05-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '30'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 30 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Looks like a similar issue exists in fc32 kickstart too. kickstart falls over with this at the end of packaging.log 5:09:39,769 INF packaging: Configuring (running scriptlet for): pipewire-0.3.5-1.fc32.x86_64 1589199612 f294c0b5d0093e4980023868970cf5040ed55303e5ae8e6c6c79d5a7334a4b66 15:09:40,210 INF packaging: Installed: pipewire-0.3.5-1.fc32.x86_64 1589199612 f294c0b5d0093e4980023868970cf5040ed55303e5ae8e6c6c79d5a7334a4b66 15:09:40,255 INF packaging: Installed: flatpak-selinux-1.6.3-1.fc32.noarch 1585577922 f2e785c3e598b11f1d9a9c4c890c42471c7af4d5d0520c37af6a69fa276e6d10 15:09:40,269 INF packaging: Configuring (running scriptlet for): flatpak-selinux-1.6.3-1.fc32.noarch 1585577922 f2e785c3e598b11f1d9a9c4c890c42471c7af4d5d0520c37af6a69fa276e6d10 15:09:40,304 INF packaging: Configuring (running scriptlet for): selinux-policy-targeted-3.14.5-38.fc32.noarch 1588673432 7590c5258bdf8a6527701d63b66202ceb62571309a9cd313e3b323872882e4d1 15:09:40,329 INF packaging: Installed: selinux-policy-targeted-3.14.5-38.fc32.noarch 1588673432 7590c5258bdf8a6527701d63b66202ceb62571309a9cd313e3b323872882e4d1 15:09:42,000 INF packaging: Configuring (running scriptlet for): selinux-policy-targeted-3.14.5-38.fc32.noarch 1588673432 7590c5258bdf8a6527701d63b66202ceb62571309a9cd313e3b323872882e4d1 15:09:42,025 ERR dnf.rpm: Error in POSTIN scriptlet in rpm package selinux-policy-targeted I'm attaching my kickstart file, cut down to minimal, and what caused the above.
Created attachment 1694969 [details] kickstart config for fc32
Can somebody update the version to 32 please.
Some more debugging... just tweaking %packages... # this works: %packages @standard @base-x @kde-desktop @kde-media @kde-office %end # this fails: %packages @standard @base-x @gnome-desktop @kde-desktop @kde-media @kde-office %end # this works: %packages @standard @base-x @gnome-desktop %end so the issue seems to be triggered by some packages installed when both kde and gnome desktops are selected.
This happens to me in Fedora 32 if I enable the updates repo in my kickstart for install. If I don't include updates I can get through the installation without error.
This message is a reminder that Fedora 32 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '32'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 32 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.