Hide Forgot
Description of problem: Running transaction Preparing : 1/1 Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 1/2 Reinstalling : container-selinux-2:2.181.0-1.fc36.noarch 1/2 Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 1/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/osbuild/cil:127 Failed to resolve AST /usr/sbin/semodule: Failed! /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:container_var_lib_t:s0 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265 Failed to resolve AST semodule: Failed! Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch 2/2 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265 Failed to resolve AST semodule: Failed! Version-Release number of selected component (if applicable): How reproducible: eevery time Steps to Reproduce: 1. sudo dnf -y reinstall container-selinux 2. 3. Actual results: Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/osbuild/cil:127 Failed to resolve AST /usr/sbin/semodule: Failed! /etc/selinux/targeted/contexts/files/file_contexts: invalid context system_u:object_r:container_var_lib_t:s0 Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265 Failed to resolve AST semodule: Failed! Running scriptlet: container-selinux-2:2.181.0-1.fc36.noarch Expected results: reinstall Additional info: sudo dnf update Running transaction Preparing : 1/1 Running scriptlet: osbuild-53-1.fc36.noarch 1/24 Upgrading : osbuild-53-1.fc36.noarch 1/24 error: lsetfilecon: (/usr/bin/osbuild;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package osbuild-53-1.fc36.noarch Upgrading : crun-1.4.4-1.fc36.x86_64 2/24 error: unpacking of archive failed on file /usr/bin/osbuild;6247f8f4: cpio: (error 0x2) error: osbuild-53-1.fc36.noarch: install failed error: lsetfilecon: (/usr/bin/crun;6247f8f4, system_u:object_r:container_runtime_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package crun-1.4.4-1.fc36.x86_64 Upgrading : containers-common-4:1-53.fc36.noarch 3/24 error: unpacking of archive failed on file /usr/bin/crun;6247f8f4: cpio: (error 0x2) error: crun-1.4.4-1.fc36.x86_64: install failed error: lsetfilecon: (/var/lib/containers/sigstore, system_u:object_r:container_var_lib_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package containers-common-4:1-53.fc36.noarch Upgrading : conmon-2:2.1.0-2.fc36.x86_64 4/24 error: unpacking of archive failed on file /var/lib/containers/sigstore: cpio: (error 0x2) error: containers-common-4:1-53.fc36.noarch: install failed error: lsetfilecon: (/usr/bin/conmon;6247f8f4, system_u:object_r:conmon_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package conmon-2:2.1.0-2.fc36.x86_64 Upgrading : podman-3:4.0.2-1.fc36.x86_64 5/24 error: unpacking of archive failed on file /usr/bin/conmon;6247f8f4: cpio: (error 0x2) error: conmon-2:2.1.0-2.fc36.x86_64: install failed error: lsetfilecon: (/usr/bin/podman;6247f8f4, system_u:object_r:container_runtime_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package podman-3:4.0.2-1.fc36.x86_64 Upgrading : osbuild-luks2-53-1.fc36.noarch 6/24 error: unpacking of archive failed on file /usr/bin/podman;6247f8f4: cpio: (error 0x2) error: podman-3:4.0.2-1.fc36.x86_64: install failed error: lsetfilecon: (/usr/lib/osbuild/stages/org.osbuild.crypttab;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package osbuild-luks2-53-1.fc36.noarch Upgrading : osbuild-lvm2-53-1.fc36.noarch 7/24 error: unpacking of archive failed on file /usr/lib/osbuild/stages/org.osbuild.crypttab;6247f8f4: cpio: (error 0x2) error: osbuild-luks2-53-1.fc36.noarch: install failed error: lsetfilecon: (/usr/lib/osbuild/stages/org.osbuild.lvm2.create;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package osbuild-lvm2-53-1.fc36.noarch Upgrading : osbuild-ostree-53-1.fc36.noarch 8/24 error: unpacking of archive failed on file /usr/lib/osbuild/stages/org.osbuild.lvm2.create;6247f8f4: cpio: (error 0x2) error: osbuild-lvm2-53-1.fc36.noarch: install failed error: lsetfilecon: (/usr/lib/osbuild/assemblers/org.osbuild.ostree.commit;6247f8f4, system_u:object_r:osbuild_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package osbuild-ostree-53-1.fc36.noarch Upgrading : runc-2:1.1.1-1.fc36.x86_64 9/24 error: unpacking of archive failed on file /usr/lib/osbuild/assemblers/org.osbuild.ostree.commit;6247f8f4: cpio: (error 0x2) error: osbuild-ostree-53-1.fc36.noarch: install failed error: lsetfilecon: (/usr/bin/runc;6247f8f4, system_u:object_r:container_runtime_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package runc-2:1.1.1-1.fc36.x86_64 Upgrading : swtpm-0.7.2-1.20220307git21c90c1.fc36.x86_64 10/24 error: unpacking of archive failed on file /usr/bin/runc;6247f8f4: cpio: (error 0x2) error: runc-2:1.1.1-1.fc36.x86_64: install failed error: lsetfilecon: (/usr/bin/swtpm;6247f8f4, system_u:object_r:swtpm_exec_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package swtpm-0.7.2-1.20220307git21c90c1.fc36.x86_64 Upgrading : snapd-2.54.4-1.fc36.x86_64 11/24 error: unpacking of archive failed on file /usr/bin/swtpm;6247f8f4: cpio: (error 0x2) error: swtpm-0.7.2-1.20220307git21c90c1.fc36.x86_64: install failed error: lsetfilecon: (/etc/sysconfig/snapd;6247f8f4, system_u:object_r:snappy_config_t:s0) Invalid argument error: Plugin selinux: hook fsm_file_prepare failed Error unpacking rpm package snapd-2.54.4-1.fc36.x86_64
Knut, Can you list all installed custom modules? # semodule -lfull | grep -v ^100 # rpm -qa "*-selinux" Did you make some customizations to the SELinux policy?
https://bugzilla.redhat.com/show_bug.cgi?id=2071939 Same issue I'm having here
[ 9.756776] SELinux: Context system_u:object_r:container_unit_file_t:s0 is not valid (left unmapped). [ 33.125507] SELinux: Context system_u:object_r:container_var_lib_t:s0 is not valid (left unmapped). [ 33.213093] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 is not valid (left unmapped). [ 33.439133] SELinux: Context system_u:object_r:tabrmd_exec_t:s0 is not valid (left unmapped). [ 161.776462] SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 is not valid (left unmapped). [ 161.945236] SELinux: Context system_u:object_r:vnc_session_exec_t:s0 is not valid (left unmapped). [ 194.716357] SELinux: Context system_u:object_r:container_log_t:s0 is not valid (left unmapped). [ 287.313712] SELinux: Context unconfined_u:object_r:vnc_home_t:s0 is not valid (left unmapped). [ 1518.845746] SELinux: Context system_u:object_r:conmon_exec_t:s0 is not valid (left unmapped). [ 1518.849016] SELinux: Context system_u:object_r:swtpm_exec_t:s0 is not valid (left unmapped). [ 1518.850845] SELinux: Context system_u:object_r:osbuild_exec_t:s0 is not valid (left unmapped). [ 1584.971276] SELinux: Context system_u:object_r:container_config_t:s0 is not valid (left unmapped).
I removed podman. When I reinstalled I got this error. Running scriptlet: container-selinux-2:2.181.0-2.fc36.noarch 1/15 libsepol.context_from_record: type insights_client_var_lib_t is not defined libsepol.context_from_record: could not create context structure libsepol.context_from_string: could not create context structure libsepol.sepol_context_to_sid: could not convert system_u:object_r:insights_client_var_lib_t:s0 to sid invalid context system_u:object_r:insights_client_var_lib_t:s0 Failed to commit changes to booleans: Success Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/osbuild/cil:127 Failed to resolve AST /usr/sbin/semodule: Failed! Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1265 Failed to resolve AST semodule: Failed!
Hi osbuild folks, Every custom selinux module using directly or indirectly socket_class_set need to be rebuilt with selinux-policy-35.17-1.fc35 https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f selinux-policy-34.27-1.fc34 https://bodhi.fedoraproject.org/updates/FEDORA-2022-eaef082697 to ensure these classes are not in use: - bridge_socket - ib_socket - mpls_socket Please do so before F36 GA.
Hello Zdeněk, happy to do it but it firstly needs to be in buildroot, right? We did fresh builds today actually but they picked the old version, see: - https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078551 - https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078533 Is buildroot override fine for selinux-policy, or do we have to wait until the selinux-policy updates reach stable? What do you prefer? Thanks, Ondřej
sudo semodule -lfull | grep -v ^100 400 pcpupstream pp 400 pcpupstream-container pp 200 cockpit pp 200 container pp 200 flatpak pp 200 ipa pp 200 mysql pp 200 osbuild pp 200 smartmon pp 200 snappy pp 200 swtpm pp 200 swtpm_svirt pp rpm -qa "*-selinux" dnfdaemon-selinux-0.3.20-8.fc36.noarch rpm-plugin-selinux-4.17.0-10.fc36.x86_64 freeipa-selinux-4.9.8-3.fc36.noarch mysql-selinux-1.0.4-4.fc36.noarch pcp-selinux-5.3.7-1.fc36.x86_64 smartmontools-selinux-7.3-2.fc36.noarch snapd-selinux-2.55.3-1.fc36.noarch cockpit-selinux-267-1.fc36.noarch osbuild-selinux-54-1.fc36.noarch flatpak-selinux-1.12.7-2.fc36.noarch Selinux have been modify by nvidia packages from rpmfusion.
(In reply to Ondřej Budai from comment #6) > Hello Zdeněk, > > happy to do it but it firstly needs to be in buildroot, right? We did fresh > builds today actually but they picked the old version, see: > > - https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078551 > - https://koji.fedoraproject.org/koji/rpminfo?rpmID=30078533 Hello Ondřej, I can't see it in the output, but I suppose you are right, both selinux-policy updates are awaiting karma based on community testing. The F35 build is expected be okay as there are only a few changes after the previous build. > Is buildroot override fine for selinux-policy, or do we have to wait until > the selinux-policy updates reach stable? What do you prefer? We need to find a balance between having it tested enough and reaching F36 before GA. At this moment I'm closer to the buildroot override.
FEDORA-2022-c5bee6b70f has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f
FEDORA-2022-c5bee6b70f has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2022-c5bee6b70f` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-c5bee6b70f See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-c5bee6b70f has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.