Description of problem: Running dnf update container-selinux fails Version-Release number of selected component (if applicable): rpm -qa | grep selinux container-selinux-2.119.1-2.fc31.noarch libselinux-2.9-5.fc31.x86_64 python3-libselinux-2.9-5.fc31.x86_64 libselinux-utils-2.9-5.fc31.x86_64 selinux-policy-3.14.4-42.fc31.noarch flatpak-selinux-1.4.3-3.fc31.noarch selinux-policy-targeted-3.14.4-42.fc31.noarch tpm2-abrmd-selinux-2.1.0-3.fc31.noarch rpm-plugin-selinux-4.15.1-1.fc31.x86_64 cockpit-selinux-207-1.fc31.noarch pcp-selinux-5.0.1-1.fc31.x86_64 How reproducible: Every time Steps to Reproduce: 1. sudo dnf update container-selinux (or selinux-policy) 2. 3. Actual results: Running scriptlet: container-selinux-2:2.119.1-2.fc31.noarch 1/2 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary /usr/sbin/semodule: Failed! /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:container_var_lib_t:s0 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary semodule: Failed! Running scriptlet: container-selinux-2:2.119.0-2.fc31.noarch 2/2 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary semodule: Failed! Expected results: dnf update succeeds Additional info: update package installed, but selinux is preventing any podman containers from running.
A PR has been sent to merge: https://github.com/containers/container-selinux/pull/84
Thanks for the prompt response. However, attempting to install the fc32 package that has been created following that merge on this fc31 system results in the following errors: Upgrading : container-selinux-2:2.123.0-0.1.dev.git661a904.fc32 1/2 Running scriptlet: container-selinux-2:2.123.0-0.1.dev.git661a904.fc32 1/2 libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory). container: libsepol.policydb_read: policydb module version 20 does not match my version range 4-19 container: libsepol.sepol_module_package_read: invalid module in module package (at section 0) container: Failed to read policy package libsemanage.semanage_direct_commit: Failed to compile hll files into cil files. (No such file or directory). /usr/sbin/semodule: Failed! Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary semodule: Failed! Running scriptlet: container-selinux-2:2.119.1-2.fc31.noarch 2/2 Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1786 Failed to generate binary semodule: Failed! Cleanup : container-selinux-2:2.119.1-2.fc31.noarch 2/2 Running scriptlet: container-selinux-2:2.119.1-2.fc31.noarch 2/2 Verifying : container-selinux-2:2.123.0-0.1.dev.git661a904.fc32 1/2 Verifying : container-selinux-2:2.119.1-2.fc31.noarch 2/2 Upgraded: container-selinux-2:2.123.0-0.1.dev.git661a904.fc32.noarch selinux is still preventing podman from starting any containers.
James, On a F31 system please use the package built for F31 instead: https://bodhi.fedoraproject.org/updates/FEDORA-2019-edc1551b22
The build from that bodhi update (container-selinux-2:2.123.0-1.fc31.noarch) installs cleanly and appears to resolve the issues with starting podman. Thanks :)
Please update the karma.
Fixed in container-selinux-2:2.123.0-1.fc31
Closing, please reopen if issue isn't fixed.
Strangely enough this has just appeared in one of my F35 boxes. Another one works fine. I think it may be caused from me previously installing a docker-ce.el8 package earlier. Is there a manual workaround to restore labels?
Wow completely removing and reinstalling all of it shows other label issues. All of this even with selinux temporarily set to permissive. I'll dig some more and file a new issue if it's unrelated. Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: container-selinux-2:2.170.0-2.fc35.noarch 1/16 Installing : container-selinux-2:2.170.0-2.fc35.noarch 1/16 Running scriptlet: container-selinux-2:2.170.0-2.fc35.noarch 1/16 libsepol.context_from_record: type nx_server_var_run_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:nx_server_var_run_t:s0 to sid invalid context system_u:object_r:nx_server_var_run_t:s0 Failed to commit changes to booleans: Success Problems processing filecon rules Failed post db handling Post process failed /usr/sbin/semodule: Failed! /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:container_var_lib_t:s0 Problems processing filecon rules Failed post db handling Post process failed semodule: Failed!
Please open a new bugzilla, donot add to old bugzilla. You might need to update selinux-policy as well.
This issue usually occurs after upgrading systems. Solution: https://help.eset.com/efs/8.1/en-US/upgrade-fails-selinux.html 1. Remove all trouble-making modules sudo semodule --priority=200 -r container 2. Reinstall SELinux packages and rebuild the policy sudo dnf reinstall selinux-policy container-selinux