Originally reported at https://github.com/SELinuxProject/selinux/issues/201 Description of problem: # dnf install toolbox ... Installing : container-selinux-2:2.117.0-1.gitbfde70a.fc31.noarch 1/7 Running scriptlet: container-selinux-2:2.117.0-1.gitbfde70a.fc31.noarch 1/7 libsepol.context_from_record: type speech_dispatcher_log_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:speech_dispatcher_log_t:s0 to sid invalid context system_u:object_r:speech_dispatcher_log_t:s0 # rpm -q selinux-policy selinux-policy-3.14.4-37.fc31 # dnf update selinux-policy ... # semodule -B Conflicting name type transition rules Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1784 Failed to generate binary semodule: Failed!
Also please consider merging https://src.fedoraproject.org/rpms/container-selinux/pull-request/2
It seems to be fixed when both container-selinux-2.124.0-3.fc31.noarch and selinux-policy-3.14.4-45.fc31.noarch are installed. There's hardcoded selinux-version in .spec file # Version of SELinux we were using %global selinux_policyver 3.14.4-43 selinux-policy provides /usr/lib/rpm/macros.d/macros.selinux-policy file with %_selinux_policy_version macro set to the version of installed policy, e.g. %_selinux_policy_version 3.14.4-45.fc31 Would it make sense to use selinux-policy macro instead of %{selinux_policyver} in the specfile to prevent this sort of bugs?
The issue is caused by (typetransition init_t container_var_lib_t dir "atomic" container_share_t) being defined by both selinux-policy-targeted and container-selinux, using container_filetrans_named_content(named_filetrans_domain) and container_filetrans_named_content(init_t) respectively. The typetransition definition inside container_filetrans_named_content was changed from filetrans_pattern($1, container_var_lib_t, container_share_t, dir, "atomic") to filetrans_pattern($1, container_var_lib_t, container_ro_file_t, dir, "atomic") in both packages. Miss-matching definitions (older selinux-policy-targeted with newer contaner-selinux or vice versa) led to the reported error message (even though the older type name is kept as an alias of the newer). I agree with Petr that selinux_requires macro should be used (it would at least rule out installing older selinux-policy* package and updated container-selinux).
FEDORA-2020-d1cc5d6ad5 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-d1cc5d6ad5
FEDORA-2020-a47b0b3f8f has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2020-a47b0b3f8f
PTAL: https://src.fedoraproject.org/rpms/container-selinux/c/73908e2eb9ee79a1e611e80a6bcd7201f0f1eb29?branch=f32
FEDORA-2020-d1cc5d6ad5 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-d1cc5d6ad5` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-d1cc5d6ad5 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-a47b0b3f8f has been pushed to the Fedora 33 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-a47b0b3f8f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-a47b0b3f8f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-d1cc5d6ad5 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2020-a47b0b3f8f has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.