Bug 2042520 - Podman run stopped working after selinux-policy package upgrade
Summary: Podman run stopped working after selinux-policy package upgrade
Keywords:
Status: CLOSED DUPLICATE of bug 2042369
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: x86_64
OS: Linux
high
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-01-19 16:24 UTC by Mateusz Mojsiejuk
Modified: 2022-01-21 09:54 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-21 09:54:11 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Mateusz Mojsiejuk 2022-01-19 16:24:56 UTC
Description of problem:

After doing a sudo dnf upgrade I'm no longer able to build or run containers with podman

Disabling selinux alleviates the issue.


Version-Release number of selected component (if applicable):


How reproducible:
100% 



Steps to Reproduce:
1. podman run -ti ubuntu:latest echo "hello world"

2.  Empty output


Actual results:
(no output is give it just exits to shell cleanly with 0 as exit code)


Expected results:
tomodachi@delacroix ~ $ podman run -ti ubuntu:latest echo "hello world"
hello world

Additional info:
dnf history of upgraded packages that I suspect are the culprits.
plz also check the scriptlet output error seen below.
===============


    Upgrade  selinux-policy-35.10-1.fc35.noarch                      @updates
    Upgraded selinux-policy-35.9-1.fc35.noarch                       @@System
    Upgrade  selinux-policy-targeted-35.10-1.fc35.noarch             @updates
    Upgraded selinux-policy-targeted-35.9-1.fc35.noarch              @@System
    Upgrade  strace-5.16-1.fc35.x86_64                               @updates
    Upgraded strace-5.15-1.fc35.x86_64                               @@System
Scriptlet output:
   1 Problems processing filecon rules
   2 Failed post db handling
   3 Post process failed
   4 /usr/sbin/semodule:  Failed!


======
tomodachi@delacroix ~ $ uname -a
Linux delacroix 5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

Comment 1 Mateusz Mojsiejuk 2022-01-19 16:42:48 UTC
This seems to affect other Things depending on selinux as well.

For example flatpak upgrade failed with:


Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer.
Warning: Could not activate remote peer.
Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer.
Error: Could not activate remote peer.
Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer.
Warning: Could not activate remote peer.
Warning: Failed to get revokefs-fuse socket from system-helper: Could not activate remote peer.
Error: Could not activate remote peer.



When Selinux was disabled it worked again

Comment 2 Zdenek Pytela 2022-01-19 17:31:01 UTC
Please update to selinux-policy-35.11-1 and let me know if the problems persist.

Comment 3 Alessandro Bruni 2022-01-19 18:20:34 UTC
I can confirm this fixes the issue for me (downloaded from the koji build server as packages are not yet available on repos)

Comment 4 Lorenzo Prosseda 2022-01-19 23:28:53 UTC
@Alessandro Bruni

Hi, may I ask you to describe the procedure you attempted to obtain and install the RPM package selinux-policy-35.11-1 from the Koji build system website?

I tried to get the 'noarch' variant directly ay the URL https://kojipkgs.fedoraproject.org//packages/selinux-policy/35.11/1.fc35/noarch/selinux-policy-35.11-1.fc35.noarch.rpm, then I launched dnf to install it with the following command:

dnf install ./selinux-policy-35.11-1.fc35.noarch.rpm

However, the installation fails on a missing dependency, that I am not able to find on the Koji website, nor on the testing repositories for Fedora:
Error: 
 Problem: conflicting requests
  - nothing provides selinux-policy-any = 35.11-1.fc35 needed by selinux-policy-35.11-1.fc35.noarch
(try to add '--skip-broken' to skip uninstallable packages)

Thanks for the patience, I'm sure it will be useful to others to find a quick solution down here.

Comment 5 Mathieu Chouquet-Stringer 2022-01-19 23:38:00 UTC
Run rpm -qa selinux-policy* on your system and it'll tell you which others you need.

Most likely targeted and another one I can't remember on top of my head.

Files are here https://koji.fedoraproject.org/koji/buildinfo?buildID=1879547

Comment 6 Lorenzo Prosseda 2022-01-19 23:46:10 UTC
(In reply to Mathieu Chouquet-Stringer from comment #5)
> Run rpm -qa selinux-policy* on your system and it'll tell you which others
> you need.
> 
> Most likely targeted and another one I can't remember on top of my head.
> 
> Files are here https://koji.fedoraproject.org/koji/buildinfo?buildID=1879547

By running the command you showed me, I see that I have the following packages installed:
selinux-policy-35.10-1.fc35.noarch
selinux-policy-targeted-35.10-1.fc35.noarch

However, dnf and also rpm commands refuse to install both RPMs, because selinux-policy-targeted depends on selinux-policy, and selinux-policy depends on the "bogus" selinux-policy-any that I cannot get from anywhere.

# dnf install ./selinux-policy-targeted-35.11-1.fc35.noarch.rpm 
Error: 
 Problem: conflicting requests
  - nothing provides selinux-policy = 35.11-1.fc35 needed by selinux-policy-targeted-35.11-1.fc35.noarch
(try to add '--skip-broken' to skip uninstallable packages)

# dnf install ./selinux-policy-35.11-1.fc35.noarch.rpm
Error: 
 Problem: conflicting requests
  - nothing provides selinux-policy-any = 35.11-1.fc35 needed by selinux-policy-35.11-1.fc35.noarch
(try to add '--skip-broken' to skip uninstallable packages)

I can assume, based on the answers given above, that I'm the only one stuck on a dependency like this.

Comment 7 Mathieu Chouquet-Stringer 2022-01-19 23:52:22 UTC
You need to upgrade both at the same time, that's the only way to solve dependencies. IF package A depends on B and B on A..if you try to install A or B separately, that's not going to work.

dnf upgrade selinux-policy*35.11*

Comment 8 Mathieu Chouquet-Stringer 2022-01-20 00:00:58 UTC
And you can see selinux-policy-targeted is provided the "any" package by running rpm -qp --provides selinux-policy-targeted-35.11-1.fc35.noarch.rpm.

The way it works is selinux-policy requires a policy, because there are multiple ones, the policy packages provides the "any" policy so selinux-policy is happy...

For instance selinux-policy-minimum also provides "any":

%rpm -qp --provides selinux-policy-minimum-35.11-1.fc35.noarch.rpm
config(selinux-policy-minimum) = 35.11-1.fc35
selinux-policy-any = 35.11-1.fc35
selinux-policy-minimum = 35.11-1.fc35

Comment 9 Lorenzo Prosseda 2022-01-20 00:16:30 UTC
(In reply to Mathieu Chouquet-Stringer from comment #8)

That makes sense and moreover it works as you described:

(from the directory where I dowloaded both RPMs)
# dnf upgrade selinux-policy*35.11*
Dependencies resolved.
===============================================================================================================================================================
 Package                                        Architecture                  Version                                Repository                           Size
===============================================================================================================================================================
Upgrading:
 selinux-policy                                 noarch                        35.11-1.fc35                           @commandline                         70 k
 selinux-policy-targeted                        noarch                        35.11-1.fc35                           @commandline                        6.4 M

Transaction Summary
===============================================================================================================================================================
Upgrade  2 Packages

Total size: 6.4 M
Is this ok [y/N]:

After the installation I was able to run containers as root and non-root users:

# podman run hello-world:latest 

Hello from Docker!

Thanks @mathieu-acct for explaining the use of dnf package manager with local dependant RPMs

Comment 10 Mateusz Mojsiejuk 2022-01-20 09:14:24 UTC
I found that running sudo dnf downgrade selinux-policy
rolling back to the previous version alleviated the issue until a fix / update hits the mirrors.

Comment 11 Mateusz Mojsiejuk 2022-01-21 08:54:54 UTC
@zpytela 

After installing the selinux-policy-35.11-1 the problem is fixed
Thanks!

Comment 12 Zdenek Pytela 2022-01-21 09:54:11 UTC
I believe any problems like this should be resolved with selinux-policy-35.11-1.fc35 or newer.
Downgrading to selinux-policy-35.9-1.fc35 is also a possible approach.

I am going to close this BZ now, please let me know again or create a new bz in case of outstanding problems.

*** This bug has been marked as a duplicate of bug 2042369 ***


Note You need to log in before you can comment on or make changes to this bug.