Description of problem: When trying to install selinux-policy-targeted or container-selinux on F36, dnf is reporting semodule errors that breaks all container-related components. $ sudo dnf reinstall selinux-policy-targeted Last metadata expiration check: 0:06:08 ago on Mon 28 Mar 2022 01:48:45 PM EDT. Dependencies resolved. ============================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================== Reinstalling: selinux-policy-targeted noarch 36.5-1.fc36 fedora 6.3 M Transaction Summary ============================================================================================================================================================================================================================================== Total download size: 6.3 M Installed size: 17 M Is this ok [y/N]: y Downloading Packages: selinux-policy-targeted-36.5-1.fc36.noarch.rpm 6.9 MB/s | 6.3 MB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 4.9 MB/s | 6.3 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 1/1 Preparing : 1/1 Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 1/2 Reinstalling : selinux-policy-targeted-36.5-1.fc36.noarch 1/2 Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 1/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Cleanup : selinux-policy-targeted-36.5-1.fc36.noarch 2/2 Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 2/2 Verifying : selinux-policy-targeted-36.5-1.fc36.noarch 1/2 Verifying : selinux-policy-targeted-36.5-1.fc36.noarch 2/2 Reinstalled: selinux-policy-targeted-36.5-1.fc36.noarch Complete! $ sudo dnf reinstall container-selinux Last metadata expiration check: 0:09:39 ago on Mon 28 Mar 2022 01:48:45 PM EDT. Dependencies resolved. ============================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================== Reinstalling: container-selinux noarch 2:2.180.0-1.fc36 fedora 50 k Transaction Summary ============================================================================================================================================================================================================================================== Total download size: 50 k Installed size: 54 k Is this ok [y/N]: y Downloading Packages: container-selinux-2.180.0-1.fc36.noarch.rpm 119 kB/s | 50 kB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 17 kB/s | 50 kB 00:02 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Preparing : 1/1 Running scriptlet: container-selinux-2:2.180.0-1.fc36.noarch 1/2 Reinstalling : container-selinux-2:2.180.0-1.fc36.noarch 1/2 Running scriptlet: container-selinux-2:2.180.0-1.fc36.noarch 1/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:305 Failed to resolve AST /usr/sbin/semodule: Failed! Cleanup : container-selinux-2:2.180.0-1.fc36.noarch 2/2 Running scriptlet: container-selinux-2:2.180.0-1.fc36.noarch 2/2 Verifying : container-selinux-2:2.180.0-1.fc36.noarch 1/2 Verifying : container-selinux-2:2.180.0-1.fc36.noarch 2/2 Reinstalled: container-selinux-2:2.180.0-1.fc36.noarch Complete!
I also tried removing selinux-policy and reinstalling but with the same errors. It looks like most of the other module errors point back to container-selinux. $ sudo dnf install container-selinux Last metadata expiration check: 0:14:24 ago on Mon 28 Mar 2022 01:48:45 PM EDT. Dependencies resolved. ============================================================================================================================================================================================================================================== Package Architecture Version Repository Size ============================================================================================================================================================================================================================================== Installing: container-selinux noarch 2:2.180.0-1.fc36 fedora 50 k Installing dependencies: flatpak-selinux noarch 1.12.6-1.fc36 fedora 22 k rpm-plugin-selinux x86_64 4.17.0-10.fc36 fedora 21 k selinux-policy noarch 36.5-1.fc36 fedora 71 k selinux-policy-targeted noarch 36.5-1.fc36 fedora 6.3 M smartmontools-selinux noarch 1:7.2-12.fc36 fedora 23 k Transaction Summary ============================================================================================================================================================================================================================================== Install 6 Packages Total download size: 6.5 M Installed size: 18 M Is this ok [y/N]: y Downloading Packages: (1/6): flatpak-selinux-1.12.6-1.fc36.noarch.rpm 39 kB/s | 22 kB 00:00 (2/6): rpm-plugin-selinux-4.17.0-10.fc36.x86_64.rpm 34 kB/s | 21 kB 00:00 (3/6): container-selinux-2.180.0-1.fc36.noarch.rpm 81 kB/s | 50 kB 00:00 (4/6): smartmontools-selinux-7.2-12.fc36.noarch.rpm 267 kB/s | 23 kB 00:00 (5/6): selinux-policy-36.5-1.fc36.noarch.rpm 412 kB/s | 71 kB 00:00 (6/6): selinux-policy-targeted-36.5-1.fc36.noarch.rpm 10 MB/s | 6.3 MB 00:00 ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Total 4.4 MB/s | 6.5 MB 00:01 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 1/1 Preparing : 1/1 Installing : rpm-plugin-selinux-4.17.0-10.fc36.x86_64 1/6 Installing : selinux-policy-36.5-1.fc36.noarch 2/6 Running scriptlet: selinux-policy-36.5-1.fc36.noarch 2/6 Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 3/6 Installing : selinux-policy-targeted-36.5-1.fc36.noarch 3/6 Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 3/6 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Running scriptlet: container-selinux-2:2.180.0-1.fc36.noarch 4/6 Installing : container-selinux-2:2.180.0-1.fc36.noarch 4/6 Running scriptlet: container-selinux-2:2.180.0-1.fc36.noarch 4/6 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST Failed to commit changes to booleans: Success Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/snappy/cil:305 Failed to resolve AST /usr/sbin/semodule: Failed! Running scriptlet: smartmontools-selinux-1:7.2-12.fc36.noarch 5/6 Installing : smartmontools-selinux-1:7.2-12.fc36.noarch 5/6 Running scriptlet: smartmontools-selinux-1:7.2-12.fc36.noarch 5/6 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Installing : flatpak-selinux-1.12.6-1.fc36.noarch 6/6 Running scriptlet: flatpak-selinux-1.12.6-1.fc36.noarch 6/6 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST /usr/sbin/semodule: Failed! Running scriptlet: selinux-policy-targeted-36.5-1.fc36.noarch 6/6 Running scriptlet: container-selinux-2:2.180.0-1.fc36.noarch 6/6 Running scriptlet: flatpak-selinux-1.12.6-1.fc36.noarch 6/6 Verifying : container-selinux-2:2.180.0-1.fc36.noarch 1/6 Verifying : flatpak-selinux-1.12.6-1.fc36.noarch 2/6 Verifying : rpm-plugin-selinux-4.17.0-10.fc36.x86_64 3/6 Verifying : selinux-policy-36.5-1.fc36.noarch 4/6 Verifying : selinux-policy-targeted-36.5-1.fc36.noarch 5/6 Verifying : smartmontools-selinux-1:7.2-12.fc36.noarch 6/6 Installed: container-selinux-2:2.180.0-1.fc36.noarch flatpak-selinux-1.12.6-1.fc36.noarch rpm-plugin-selinux-4.17.0-10.fc36.x86_64 selinux-policy-36.5-1.fc36.noarch selinux-policy-targeted-36.5-1.fc36.noarch smartmontools-selinux-1:7.2-12.fc36.noarch Complete!
My containers are erroring out with: Mar 28 14:11:04 workstation kernel: SELinux: Unable to set superblock options before the security server is initialized Mar 28 14:11:04 workstation podman[23972]: time="2022-03-28T14:11:04-04:00" level=error msg="Starting some container dependencies" Mar 28 14:11:04 workstation podman[23972]: time="2022-03-28T14:11:04-04:00" level=error msg="\"failed to mount shm tmpfs \\\"/home/bryan/.local/share/containers/storage/overlay-containers/5e0a71d56316445b5ffb9af0e54ce92f9532a90807b267fd5> ...which appears to be related to the virt policy (so these containers should run OK without container-selinux, assuming I would ever want that). So since container-selinux is borked it is not allowing virt policy via selinux-policy-targeted to build. Since these policies are all dependent on one another at the package level it is not trivial to just remove container-selinux to allow selinux-policy-targeted to install correctly and the virt module to subsequently allow tmpfs access to my container volumes, even in permissive mode. Seems a bit fragile but IDK.
Appears related to: https://bugzilla.redhat.com/show_bug.cgi?id=2056303 After removing all selinux-policy packages and rebooting I'm left with: $ sudo semodule -l container flatpak smartmon snappy swtpm swtpm_svirt When I try to remove a module manually, I receive an AST error. $ sudo semodule -X200 -r snappy libsemanage.semanage_direct_remove_key: Removing last snappy module (no other snappy module exists at another priority). Failed to resolve typealiasactual statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:6 Failed to resolve AST semodule: Failed! So it appears that there are some leftover policy modules from dnf system-upgrade or something else that I cannot put my finger on. Stuck at the moment and will be disabling SELinux.
The same issue happened to me as well on 2 different machines. The last time now, just after the release of Beta. I found no solution so far. https://bugzilla.redhat.com/show_bug.cgi?id=2056303
I have same issue after upgrading to F36 semodule -e container Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1263 Failed to resolve AST semodule: Failed!
How to fix: Removed all modules with complaints. in my case it was: semodule -X 200 -r snappy -r container -X 300 -r my-chown -X 400 -r my-chown -r my-systemctl after that I was able to run: dnf reinstall container-selinux
Thanks, removing the snappy and container modules in the same command fixed the issue.
*** This bug has been marked as a duplicate of bug 2056303 ***