Description of problem: ``` Running transaction Preparing : 1/1 Installing : pcp-selinux-5.3.6-2.fc36.x86_64 1/1 Running scriptlet: pcp-selinux-5.3.6-2.fc36.x86_64 1/1 Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream/cil:5 Failed to resolve AST semodule: Failed! Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream-container/cil:4 Failed to resolve AST semodule: Failed! ``` Also upgrade from Fedora 35 fails, apparently due to this error too, see https://bugzilla.redhat.com/show_bug.cgi?id=2056303 (I had to uninstall 'pcp' in order to be able to proceed with upgrading podman). Version-Release number of selected component (if applicable): pcp-selinux-5.3.6-2.fc36.x86_64 How reproducible: Always Steps to Reproduce: 1. dnf install pcp-selinux on Fedora 36 beta 2. 3. Actual results: Running transaction Preparing : 1/1 Installing : pcp-selinux-5.3.6-2.fc36.x86_64 1/1 Running scriptlet: pcp-selinux-5.3.6-2.fc36.x86_64 1/1 Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream/cil:5 Failed to resolve AST semodule: Failed! Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream-container/cil:4 Failed to resolve AST semodule: Failed! Expected results: No errors Additional info: https://bugzilla.redhat.com/show_bug.cgi?id=1929837 seems similar but different line number
Hi Török, Could you attempt to re-install pcp and then run these commands after you observe the issue: /usr/libexec/selinux/hll/pp /usr/libexec/pcp/selinux/pcpupstream.pp /tmp/pcpupstream.cil /usr/libexec/selinux/hll/pp /var/lib/pcp/selinux/pcpupstream-container.pp /tmp/pcpupstreamc.cil and then paste here the output from 'head /tmp/pcpupstream*'. Thanks!
I believe this is a result of > Workaround for me: 'sudo semodule -X 200 -r snappy -r container -r flatpak -X 400 -r pcpupstream -r pcpupstream-container -X 100 -r pcp' as mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=2056303#c13 After removing pcp SELinux module, types from this module are not available.
I cannot reproduce a PCP problem here, based on #c2 this seems to be a side-effect of the workaround. I've created a f36-beta VM and performed all manner of dnf updating/re-installing combinations of pcp, pcp-selinux, podman, selinux-policy I could think of and do not encounter the error described here (nor any selinux error at all for that matter).
Here is the requested output: ``` Running transaction Preparing : 1/1 Installing : pcp-selinux-5.3.6-2.fc36.x86_64 1/4 Running scriptlet: pcp-selinux-5.3.6-2.fc36.x86_64 1/4 Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream/cil:5 Failed to resolve AST semodule: Failed! Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/pcpupstream-container/cil:4 Failed to resolve AST semodule: Failed! Installing : pcp-conf-5.3.6-2.fc36.x86_64 2/4 Installing : pcp-libs-5.3.6-2.fc36.x86_64 3/4 Running scriptlet: pcp-5.3.6-2.fc36.x86_64 4/4 Installing : pcp-5.3.6-2.fc36.x86_64 4/4 Running scriptlet: pcp-5.3.6-2.fc36.x86_64 4/4 Created symlink /etc/systemd/system/multi-user.target.wants/pmcd.service → /usr/lib/systemd/system/pmcd.service. Created symlink /etc/systemd/system/multi-user.target.wants/pmlogger.service → /usr/lib/systemd/system/pmlogger.service. Created symlink /etc/systemd/system/multi-user.target.wants/pmie.service → /usr/lib/systemd/system/pmie.service. Verifying : pcp-5.3.6-2.fc36.x86_64 1/4 Verifying : pcp-conf-5.3.6-2.fc36.x86_64 2/4 Verifying : pcp-libs-5.3.6-2.fc36.x86_64 3/4 Verifying : pcp-selinux-5.3.6-2.fc36.x86_64 4/4 Installed: pcp-5.3.6-2.fc36.x86_64 pcp-conf-5.3.6-2.fc36.x86_64 pcp-libs-5.3.6-2.fc36.x86_64 pcp-selinux-5.3.6-2.fc36.x86_64 ``` ``` head /tmp/pcpupstream* ==> /tmp/pcpupstream.cil <== (roleattributeset cil_gen_require system_r) (typeattributeset cil_gen_require domain) (typeattributeset cil_gen_require userdomain) (typeattributeset cil_gen_require file_type) (typeattributeset cil_gen_require pcp_domain) (typeattributeset cil_gen_require pcp_pmcd_t) (typeattributeset cil_gen_require tmp_t) (typeattributeset cil_gen_require init_t) (typeattributeset cil_gen_require initrc_tmp_t) (typeattributeset cil_gen_require default_t) ==> /tmp/pcpupstreamc.cil <== (typeattributeset cil_gen_require container_runtime_t) (typeattributeset cil_gen_require container_runtime_tmpfs_t) (typeattributeset cil_gen_require container_var_run_t) (typeattributeset cil_gen_require pcp_pmcd_t) (allow pcp_pmcd_t container_runtime_t (unix_stream_socket (connectto))) (allow pcp_pmcd_t container_runtime_tmpfs_t (dir (getattr))) (allow pcp_pmcd_t container_var_run_t (file (getattr read open))) ```
Thanks Török. Line 5 in pcpupstream cil is: (typeattributeset cil_gen_require pcp_domain) and line 4 in pcpupstream-container cil is: (typeattributeset cil_gen_require pcp_pmcd_t) These types come from base selinux-policy, not from PCP. This suggests to me that something has gone wrong before attempting to install PCP - it could be something like the selinux-policy didn't get (re-)built during the installation of that package? Not 100% sure - but certainly this does continue to point toward a non-PCP-related problem on your system.
I found a workaround: `sudo dnf reinstall selinux-policy-targeted` `sudo dnf reinstall pcp-selinux` All warnings are gone now, probably some leftover failures from the initial upgrade failure of the selinux packages (container-selinux, etc.)
I've added a note on the original SELinux policy upgrade bug: https://bugzilla.redhat.com/show_bug.cgi?id=2056303#c28, thanks for the hints.
No problem - glad to hear its all working now.