2051012 – [RHEL 9 Beta] can't update flatpak with "error: Plugin selinux: hook fsm_file_prepare failed".

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2051012 - [RHEL 9 Beta] can't update flatpak with "error: Plugin selinux: hook fsm_file_prepare failed".

Summary: [RHEL 9 Beta] can't update flatpak with "error: Plugin selinux: hook fsm_file...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	flatpak
Sub Component:
Version:	9.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Debarshi Ray
QA Contact:	Martin Krajnak
Docs Contact:
URL:	http//
Whiteboard:
Depends On:
Blocks:	2010412
TreeView+	depends on / blocked

Reported:	2022-02-05 18:20 UTC by rcheerla
Modified:	2023-04-27 13:04 UTC (History)
CC List:	12 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-07-22 12:50:07 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-111234	0	None	None	None	2022-02-05 18:21:59 UTC

Description rcheerla 2022-02-05 18:20:35 UTC

Description of problem: Unable to install/update the latest version flatpak. 

Version-Release number of selected component (if applicable):

uname -r
5.14.0-53.el9.x86_64
flatpak = 1.10.2-6.el9 -> flatpak = 1.10.7-1.el9


How reproducible: 100%


Steps to Reproduce:
1. installed the system with following distro "RHEL-9.0.0-20211121.6" 
2. Update the system to latest nightly build i.e 5.14.0-53.el9.x86_64
3. update failed for flatpak package, however rest of the packages updates successfully.

Actual results:

Failed:
  flatpak-1.10.2-6.el9.x86_64                            flatpak-1.10.7-1.el9.x86_64                           

Error: Transaction failed

Expected results:

Should update without fail.

Additional info:

Comment 1 rcheerla 2022-02-05 18:24:24 UTC

Hello Team,

I am suspecting some issue with the selinux context causing this issue.

Here is the complete error report.
~~~~~~~~~

Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373
Failed to resolve AST
/usr/sbin/semodule:  Failed!


Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373
Failed to resolve AST
/usr/sbin/semodule:  Failed!



Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:373
Failed to resolve AST
/usr/sbin/semodule:  Failed!

  Running scriptlet: flatpak-1.10.7-1.el9.x86_64                                                        319/902 
  Upgrading        : flatpak-1.10.7-1.el9.x86_64                                                        319/902 
error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61fe3cc4, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package flatpak-1.10.7-1.el9.x86_64
  Upgrading        : python3-libcomps-0.1.18-1.el9.x86_64                                               320/902 
error: unpacking of archive failed on file /usr/libexec/flatpak-system-helper;61fe3cc4: cpio: (error 0x2)
error: flatpak-1.10.7-1.el9.x86_64: install failed

*****
Running transaction
  Preparing        :                                                                                        1/1 
  Running scriptlet: flatpak-1.10.7-1.el9.x86_64                                                            1/2 
  Upgrading        : flatpak-1.10.7-1.el9.x86_64                                                            1/2 
error: lsetfilecon: (/usr/libexec/flatpak-system-helper;61fea86c, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

Error unpacking rpm package flatpak-1.10.7-1.el9.x86_64
  Verifying        : flatpak-1.10.7-1.el9.x86_64                                                            1/2 
  Verifying        : flatpak-1.10.2-6.el9.x86_64                                                            2/2 
Installed products updated.

Failed:
  flatpak-1.10.2-6.el9.x86_64                            flatpak-1.10.7-1.el9.x86_64                           

Error: Transaction failed

~~~~~~~~~~

Still reproducible after removing the existing flatpak and trying to install it again. 

Regards,
Raju

Comment 2 Debarshi Ray 2022-02-05 21:06:15 UTC

Are you missing a selinux-policy update?

This looks the same as what we recently saw in Fedora:
https://bugzilla.redhat.com/show_bug.cgi?id=1871337#c4

Unfortunately, I don't understand SELinux enough to be able to comprehend the difference between selinux-policy-35.11-1.fc35 and selinux-policy-35.10-1.fc35 from Fedora's dist-git logs.

Comment 3 rcheerla 2022-02-06 18:45:34 UTC

(In reply to Debarshi Ray from comment #2)
> Are you missing a selinux-policy update?

Nope, It was updated to selinux-policy-34.1.23-1.el9.noarch from selinux-policy-34.1.16-1.el9_b.noarch

In the latest nightly build I could see "selinux-policy-34.1.23-1.el9.noarch" is the latest one.

Comment 4 Debarshi Ray 2022-02-07 09:27:50 UTC

Hey Zdenek! Do you have any idea about this?

Comment 5 Debarshi Ray 2022-02-07 10:03:50 UTC

Does this bug really need to stay private?

Comment 6 Zdenek Pytela 2022-02-07 11:01:07 UTC

(In reply to Debarshi Ray from comment #4)
> Hey Zdenek! Do you have any idea about this?

Does this still happen with all packages updated? Were container-selinux or some other packages with their own selinux policy installed?

  $ rpm -qa "*selinux*"

Comment 7 Peter Hutterer 2022-02-14 05:45:05 UTC

Just updated a test box that's been sitting unused for a while and trying to update from flatpak-1.10.2-6.el9.x86_64 to flatpak-1.10.7-1.el9.x86_64 fails with

error: lsetfilecon: (/usr/libexec/flatpak-system-helper;6209eafb, system_u:object_r:flatpak_helper_exec_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed

This is with all other packages successfully updated from http://download.devel.redhat.com/rhel-9/nightly/RHEL-9/latest-RHEL-9/ as of Feb 09 2022

$ rpm -qa "*selinux*"
container-selinux-2.167.0-1.module+el9beta+12444+200de489.noarch
libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-10.el9.x86_64
selinux-policy-34.1.24-1.el9.noarch
selinux-policy-targeted-34.1.24-1.el9.noarch
python3-libselinux-3.3-2.el9.x86_64
flatpak-selinux-1.10.7-1.el9.noarch


Otherwise this is a pretty vanilla test box.

Comment 8 Martin Krajnak 2022-02-14 07:10:30 UTC

hmm this is weird I am probably on the same list of packages, but my machine is active pretty much from early stages of RHEL9-ALPHA,
I will try this on vanilla machine and let you guys know.

$ rpm -qa "*selinux*"
container-selinux-2.167.0-1.module+el9.0.0+12467+378c8264.noarch
libselinux-3.3-2.el9.x86_64
libselinux-utils-3.3-2.el9.x86_64
python3-libselinux-3.3-2.el9.x86_64
tigervnc-selinux-1.11.0-20.el9.noarch
libselinux-devel-3.3-2.el9.x86_64
flatpak-selinux-1.10.7-1.el9.noarch
libselinux-debugsource-3.3-2.el9.x86_64
libselinux-debuginfo-3.3-2.el9.x86_64
rpm-plugin-selinux-4.16.1.3-10.el9.x86_64
selinux-policy-34.1.24-1.el9.noarch

Comment 9 rcheerla 2022-02-14 10:36:14 UTC

(In reply to Debarshi Ray from comment #5)
> Does this bug really need to stay private?

Nope I believe, if needed please make it public.

Comment 10 Debarshi Ray 2022-03-10 20:25:09 UTC

(In reply to rcheerla from comment #9)
> (In reply to Debarshi Ray from comment #5)
> > Does this bug really need to stay private?
> 
> Nope I believe, if needed please make it public.

Ok, done.

Comment 12 Martin Östlund 2022-03-17 09:23:04 UTC

This bug is affecting us. It hits us right after a doing a dnf upgrade on fresh install of RHEL9 Beta.
We are a RedHat partner and need to test our software on RHEL9 Beta before it goes GA.

Uninstalling podman to get rid of container-selinux works as a workaround for the moment.

Comment 13 jcastran 2022-03-17 12:17:32 UTC

Setting selinux to permissive also allows the update to complete.

   # setenforce 0
   # yum update flatpak -y

Comment 14 P D 2022-03-17 17:15:29 UTC

I have the same issue, but on Fedora 36 beta.

Comment 15 Samuel 2022-04-27 13:45:11 UTC

We're still seeing issues with this on the RHEL 9 beta after installing upgrades.

A freshly installed RHEL 9 beta VM works fine, but after running "dnf upgrade" the issues start happening.

What's the status on this? And what can we do to work around the issue at the moment? Not being able to install updates is not very nice.

Comment 16 Martin Krajnak 2022-04-27 15:35:14 UTC

I just installed the Beta compose RHEL-9.0.0-20211026.10 and I update all the way to RHEL-9.0.0-20220424.1, so the flatpak is updated as follows:

flatpak-1.10.2-6.el9.x86_64 -> flatpak-1.12.5-2.el9_0.x86_64

and without errors. I believe that the error is harmless since we were deleting the fedora-repos.service file in meantime:

  Running scriptlet: flatpak-1.10.2-6.el9.x86_64                                                                   638/1218 
Failed to set unit properties on flatpak-add-fedora-repos.service: Unit flatpak-add-fedora-repos.service not found


So my guess is that we don't have other option that it will be Fixed in GA. Please correct me if I am wrong.

Comment 17 Samuel 2022-05-18 12:38:11 UTC

I see the same issue on the proper Fedora 36 release as well.

Comment 18 Pierre Ossman 2022-05-20 09:32:10 UTC

This seems to work on RHEL 9 GA. Has this been fixed and this bugzilla entry was overlooked?

Comment 19 Martin Krajnak 2022-05-23 07:03:17 UTC

(In reply to Pierre Ossman from comment #18)
> This seems to work on RHEL 9 GA. Has this been fixed and this bugzilla entry
> was overlooked?

Hello Pierre, 

we thought that it will be fixed as I mentioned in Comment 16 (I made it public just now), where I tested it with pre-GA builds, 
but at this bug is affected by customers I wanted to wait for confirmation. Thanks for providing one for us :).

Comment 21 Tomas Popela 2022-07-22 12:50:07 UTC

Closing as per https://bugzilla.redhat.com/show_bug.cgi?id=2051012#c19

Comment 22 Debarshi Ray 2023-04-27 13:04:14 UTC

Many thanks for mopping this one up, Tomáš!

Note You need to log in before you can comment on or make changes to this bug.