2149171 – RHEL 8.7 kickstart installation fails when frr package is included in the %packages section.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2149171 - RHEL 8.7 kickstart installation fails when frr package is included in the %packages section.

Summary: RHEL 8.7 kickstart installation fails when frr package is included in the %pa...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	frr
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Ruprich
QA Contact:	František Hrdina
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2022-11-29 04:58 UTC by mkenjale
Modified:	2023-05-16 09:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:	frr-7.5.1-6.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-05-16 08:30:22 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-140736	0	None	None	None	2022-11-29 05:06:14 UTC
Red Hat Product Errata	RHSA-2023:2801	0	None	None	None	2023-05-16 08:30:29 UTC

Description mkenjale 2022-11-29 04:58:42 UTC

=======================
Description of problem:
=======================

- RHEL 8.7 kickstart installation fails when frr package is included in %packages section.
--------
DNF error : Error in POSTIN scriptlet in rpm package frr-selinux
--------
- The post installation script of frr-selinux package, which is dependency of frr package, is failing and that is aborting the installation.

=============================================================
Version-Release number of selected component (if applicable):
=============================================================

- RHEL 8.7 ISO.
- frr-7.5.1-4.el8.x86_64.rpm                                    
- frr-selinux-7.5.1-4.el8.noarch.rpm  

===================
Steps to Reproduce:
===================

1. Write a kickstart file and add "frr" package to the "%packages" section. The following "%packages" section is enough to reproduce the issue:
-----
%packages
@core 
frr
%end
-----

2. Start kickstart installation.
3. The installation(text as well as graphical mode) will fail with the following error:
------
DNF error : Error in POSTIN scriptlet in rpm package frr-selinux
------

===============
Actual results:
===============
- Installation fails with the following error:
--------
DNF error : Error in POSTIN scriptlet in rpm package frr-selinux
--------

=================
Expected results:
=================
- The installation should not fail.
- The post installation script of frr-selinux package should not fail.

================
Additional info:
================

- In RHEL 8.6 ISO we have the following frr package, and it does not require frr-selinux package.
-----------
frr-7.5-11.el8.x86_64.rpm

#rpm -qp --requires frr-7.5-11.el8.x86_64.rpm  | grep selinux
#
-----------

- In RHEL 8.7 ISO we have the following frr package, and it has dependency on frr-selinux package. The frr-selinux package has been introduced in RHEL 8.7.
-----------
# rpm -qp --requires frr-7.5.1-4.el8.x86_64.rpm  | grep selinux
(frr-selinux = 7.5.1-4.el8 if selinux-policy-targeted)
-----------

- The post installation script of frr-selinux package is failing and that is aborting the installation.

- I also tried installing the frr package in the %post section of the kickstart file, but that did not help.

--
%post --nochroot --log=/mnt/sysimage/var/log/kickstart_post_nochroot.log
echo "Installing frr package"
cd /run/install/sources/mount-0000-cdrom/BaseOS/Packages
rpm -ivh --root=/mnt/sysimage/ checkpolicy-2.9-1.el8.x86_64.rpm lm_sensors-libs-3.4.0-23.20180522git70f7e08.el8.x86_64.rpm net-snmp-libs-5.8-25.el8.x86_64.rpm perl-Carp-1.42-396.el8.noarch.rpm perl-constant-1.33-396.el8.noarch.rpm perl-Data-Dumper-2.167-399.el8.x86_64.rpm perl-Encode-2.97-3.el8.x86_64.rpm perl-Errno-1.28-421.el8.x86_64.rpm perl-Exporter-5.72-396.el8.noarch.rpm perl-File-Path-2.15-2.el8.noarch.rpm perl-File-Temp-0.230.600-1.el8.noarch.rpm perl-Getopt-Long-2.50-4.el8.noarch.rpm perl-HTTP-Tiny-0.074-1.el8.noarch.rpm perl-interpreter-5.26.3-421.el8.x86_64.rpm perl-IO-1.38-421.el8.x86_64.rpm perl-libs-5.26.3-421.el8.x86_64.rpm perl-macros-5.26.3-421.el8.x86_64.rpm perl-MIME-Base64-3.15-396.el8.x86_64.rpm perl-parent-0.237-1.el8.noarch.rpm perl-PathTools-3.74-1.el8.x86_64.rpm perl-Pod-Escapes-1.07-395.el8.noarch.rpm perl-podlators-4.11-1.el8.noarch.rpm perl-Pod-Perldoc-3.28-396.el8.noarch.rpm perl-Pod-Simple-3.35-395.el8.noarch.rpm perl-Pod-Usage-1.69-395.el8.noarch.rpm perl-Scalar-List-Utils-1.49-2.el8.x86_64.rpm perl-Socket-2.027-3.el8.x86_64.rpm perl-Storable-3.11-3.el8.x86_64.rpm perl-Term-ANSIColor-4.06-396.el8.noarch.rpm perl-Term-Cap-1.17-395.el8.noarch.rpm perl-Text-ParseWords-3.30-395.el8.noarch.rpm perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch.rpm perl-threads-2.21-2.el8.x86_64.rpm perl-threads-shared-1.58-2.el8.x86_64.rpm perl-Time-Local-1.280-1.el8.noarch.rpm perl-Unicode-Normalize-1.25-396.el8.x86_64.rpm policycoreutils-python-utils-2.9-20.el8.noarch.rpm python3-audit-3.0.7-4.el8.x86_64.rpm python3-libsemanage-2.9-9.el8.x86_64.rpm python3-policycoreutils-2.9-20.el8.noarch.rpm python3-setools-4.3.0-3.el8.x86_64.rpm ../../AppStream/Packages/frr-7.5.1-4.el8.x86_64.rpm ../../AppStream/Packages/frr-selinux-7.5.1-4.el8.noarch.rpm ../../AppStream/Packages/libyang-1.0.184-1.el8.x86_64.rpm ../../AppStream/Packages/mariadb-connector-c-3.1.11-2.el8_3.x86_64.rpm ../../AppStream/Packages/mariadb-connector-c-config-3.1.11-2.el8_3.noarch.rpm ../../AppStream/Packages/net-snmp-5.8-25.el8.x86_64.rpm ../../AppStream/Packages/net-snmp-agent-libs-5.8-25.el8.x86_64.rpm ../../AppStream/Packages/perl-Digest-1.17-395.el8.noarch.rpm ../../AppStream/Packages/perl-Digest-MD5-2.55-396.el8.x86_64.rpm ../../AppStream/Packages/perl-IO-Socket-IP-0.39-5.el8.noarch.rpm ../../AppStream/Packages/perl-IO-Socket-SSL-2.066-4.module+el8.3.0+6446+594cad75.noarch.rpm ../../AppStream/Packages/perl-libnet-3.11-3.el8.noarch.rpm ../../AppStream/Packages/perl-Mozilla-CA-20160104-7.module+el8.3.0+6498+9eecfe51.noarch.rpm ../../AppStream/Packages/perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+f0897f98.x86_64.rpm ../../AppStream/Packages/perl-URI-1.73-3.el8.noarch.rpm 
%end
-----------

- Result: The frr-selinux package post script failed:
-----------
# tail -8 mnt/sysimage/var/log/kickstart_post_nochroot.log
checkpolicy-2.9-1.el8                 ########################################
python3-policycoreutils-2.9-20.el8    ########################################
policycoreutils-python-utils-2.9-20.el########################################
frr-selinux-7.5.1-4.el8               ########################################
warning: %post(frr-selinux-7.5.1-4.el8.noarch) scriptlet failed, exit status 255
frr-7.5.1-4.el8                       ########################################
Running in chroot, ignoring request: daemon-reload
Running in chroot, ignoring request: daemon-reload
-----------

-Result with more verbosity:
-----------
D: ========== +++ frr-selinux-7.5.1-4.el8 noarch-linux 0x0
D: frr-selinux-7.5.1-4.el8.noarch: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
D: frr-selinux-7.5.1-4.el8.noarch: Header SHA256 digest: OK
D: frr-selinux-7.5.1-4.el8.noarch: Header SHA1 digest: OK
D:   install: frr-selinux-7.5.1-4.el8.noarch has 3 files
D: Plugin: calling hook psm_pre in selinux plugin
D: %prein(frr-selinux-7.5.1-4.el8.noarch): scriptlet start
fdio:       2 writes,      347 total bytes in 0.000014 secs
D: %prein(frr-selinux-7.5.1-4.el8.noarch): execv(/bin/sh) pid 43430
D: Plugin: calling hook scriptlet_fork_post in selinux plugin
D: setexecfilecon: (/bin/sh, rpm_script_t) 
+ . /etc/selinux/config
++ SELINUX=enforcing
++ SELINUXTYPE=targeted
+ _policytype=targeted
+ '[' -z targeted ']'
+ /usr/sbin/selinuxenabled
+ '[' targeted = targeted ']'
+ '[' -f /var/lib/rpm-state/file_contexts.pre ']'
+ cp -f /etc/selinux/targeted/contexts/files/file_contexts /var/lib/rpm-state/file_contexts.pre
D: %prein(frr-selinux-7.5.1-4.el8.noarch): waitpid(43430) rc 43430 status 0
frr-selinux-7.5.1-4.el8               D: ========== Directories not explicitly included in package:
D:          0 /usr/share/selinux/devel/include/distributed/
D:          1 /usr/share/selinux/packages/targeted/
D:          2 /var/lib/selinux/targeted/active/modules/200/
D: ==========
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/share/selinux/devel, system_u:object_r:usr_t:s0) 
D: /usr/share/selinux/devel directory created with perms 0755
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/share/selinux/devel/include, system_u:object_r:usr_t:s0) 
D: /usr/share/selinux/devel/include directory created with perms 0755
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/share/selinux/devel/include/distributed, system_u:object_r:usr_t:s0) 
D: /usr/share/selinux/devel/include/distributed directory created with perms 0755
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/share/selinux/packages/targeted, system_u:object_r:usr_t:s0) 
D: /usr/share/selinux/packages/targeted directory created with perms 0755
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/var/lib/selinux/targeted/active/modules/200, system_u:object_r:semanage_store_t:s0) 
D: /var/lib/selinux/targeted/active/modules/200 directory created with perms 0755
D: create     100644  1 (   0,   0)  2915 /usr/share/selinux/devel/include/distributed/frr.if;637ef7f2
########ufdio:       1 writes,     2915 total bytes in 0.000014 secs
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/share/selinux/devel/include/distributed/frr.if;637ef7f2, system_u:object_r:usr_t:s0) 
D: create     100644  1 (   0,   0) 11893 /usr/share/selinux/packages/targeted/frr.pp.bz2;637ef7f2
################################
ufdio:       1 writes,    11893 total bytes in 0.000026 secs
D: Plugin: calling hook fsm_file_prepare in selinux plugin
D: lsetfilecon: (/usr/share/selinux/packages/targeted/frr.pp.bz2;637ef7f2, system_u:object_r:usr_t:s0) 
fdio:      16 reads,    15260 total bytes in 0.002417 secs
D: adding "frr-selinux" to Name index.
D: adding 3 entries to Basenames index.
D: adding "Unspecified" to Group index.
D: adding 14 entries to Requirename index.
D: adding 1 entries to Providename index.
D: adding 3 entries to Dirnames index.
D: adding 1 entries to Installtid index.
D: adding 1 entries to Sigmd5 index.
D: adding "21375e9b8cf4a8d014596653e37f5630c3b00098" to Sha1header index.
D: %post(frr-selinux-7.5.1-4.el8.noarch): scriptlet start
fdio:       2 writes,      907 total bytes in 0.000010 secs
D: %post(frr-selinux-7.5.1-4.el8.noarch): execv(/bin/sh) pid 43434
D: Plugin: calling hook scriptlet_fork_post in selinux plugin
D: setexecfilecon: (/bin/sh, rpm_script_t) 
+ . /etc/selinux/config
++ SELINUX=enforcing
++ SELINUXTYPE=targeted
+ _policytype=targeted
+ '[' -z targeted ']'
+ '[' targeted = targeted ']'
+ /usr/sbin/semodule -n -s targeted -X 200 -i /usr/share/selinux/packages/targeted/frr.pp.bz2
+ /usr/sbin/selinuxenabled
+ /usr/sbin/load_policy
+ . /etc/selinux/config
++ SELINUX=enforcing
++ SELINUXTYPE=targeted
+ _policytype=targeted
+ '[' -z targeted ']'
+ /usr/sbin/selinuxenabled
+ '[' targeted = targeted ']'
+ '[' -f /var/lib/rpm-state/file_contexts.pre ']'
+ /usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore
+ rm -f /var/lib/rpm-state/file_contexts.pre
+ /usr/sbin/restorecon -R /var/tmp/frr
+ /usr/sbin/restorecon -R /var/run/frr
D: %post(frr-selinux-7.5.1-4.el8.noarch): waitpid(43434) rc 43434 status ff00
warning: %post(frr-selinux-7.5.1-4.el8.noarch) scriptlet failed, exit status 255
ufdio:       6 reads,    13536 total bytes in 0.000007 secs
-----------
- Installation logs:
-----------
#5 3_frr-install-logs-2022-11-24.tbz 
-----------

===========
WORKAROUND:
===========

- I did not find any workaround that we can be used in kickstart file to get the frr package installed during the OS installation.

- Install the frr package post OS installation.

Comment 1 Michal Ruprich 2022-11-29 09:37:20 UTC

Hi Mahesh,

thanks for the report, I was aware of this problem when installing frr regularly via dnf but there, the error is just a sort of a warning and does not abort the installation. I was not aware of the fact that kickstart will abort if there is an error in a post scriptlet. I think the failure is here on lines 218 and 219:

https://pkgs.devel.redhat.com/cgit/rpms/frr/tree/frr.spec?h=rhel-8.7.0#n218

I've added a condition in RHEL9 to run these lines only on upgrade, not on a fresh install:

https://pkgs.devel.redhat.com/cgit/rpms/frr/tree/frr.spec?h=rhel-9-main#n231

I am planning to do this in RHEL-8.8.0 as well.

I have two things to ask of you:

1. Can the customer try to install the package via the %post section in the kickstart? Please forgive me, I am not very skilled with kickstart but I was thinking that something like this could help:

%post
dnf -y install frr
%end

As far as I can tell, this should not end in error since even though the error is visible, the whole process ends with 0. Testing on latest RHEL8:
# dnf -y install frr
...
Installing       : frr-selinux-7.5.1-5.el8.noarch                                                               9/10 
  Running scriptlet: frr-selinux-7.5.1-5.el8.noarch                                                               9/10 
warning: %post(frr-selinux-7.5.1-5.el8.noarch) scriptlet failed, exit status 255

Error in POSTIN scriptlet in rpm package frr-selinux
  Running scriptlet: frr-7.5.1-5.el8.x86_64                                                                      10/10 
  Installing       : frr-7.5.1-5.el8.x86_64                                                                      10/10 
  Running scriptlet: frr-7.5.1-5.el8.x86_64                                                                      10/10 
...
Installed products updated.
...
# echo $?
0

This could be our workaround for RHEL-8.7.0

2. Please ask the customer, if they require the fix in RHEL-8.7.0. As I mentioned above, I have a fix planned for RHEL-8.8.0 now.

Thanks and regards,
Michal

Comment 2 mkenjale 2022-11-30 02:52:39 UTC

Hello Michal,

When I tried installing frr package in the %post section(using rpm command not dnf), the installation did not fail/abort, but the frr-selinux package post script failed. The frr-selinux package is dependency for frr package. 
---
%post --nochroot --log=/mnt/sysimage/var/log/kickstart_post_nochroot.log
echo "Installing frr package"
cd /run/install/sources/mount-0000-cdrom/BaseOS/Packages
rpm -ivh --root=/mnt/sysimage/ checkpolicy-2.9-1.el8.x86_64.rpm lm_sensors-libs-3.4.0-23.20180522git70f7e08.el8.x86_64.rpm net-snmp-libs-5.8-25.el8.x86_64.rpm perl-Carp-1.42-396.el8.noarch.rpm perl-constant-1.33-396.el8.noarch.rpm perl-Data-Dumper-2.167-399.el8.x86_64.rpm perl-Encode-2.97-3.el8.x86_64.rpm perl-Errno-1.28-421.el8.x86_64.rpm perl-Exporter-5.72-396.el8.noarch.rpm perl-File-Path-2.15-2.el8.noarch.rpm perl-File-Temp-0.230.600-1.el8.noarch.rpm perl-Getopt-Long-2.50-4.el8.noarch.rpm perl-HTTP-Tiny-0.074-1.el8.noarch.rpm perl-interpreter-5.26.3-421.el8.x86_64.rpm perl-IO-1.38-421.el8.x86_64.rpm perl-libs-5.26.3-421.el8.x86_64.rpm perl-macros-5.26.3-421.el8.x86_64.rpm perl-MIME-Base64-3.15-396.el8.x86_64.rpm perl-parent-0.237-1.el8.noarch.rpm perl-PathTools-3.74-1.el8.x86_64.rpm perl-Pod-Escapes-1.07-395.el8.noarch.rpm perl-podlators-4.11-1.el8.noarch.rpm perl-Pod-Perldoc-3.28-396.el8.noarch.rpm perl-Pod-Simple-3.35-395.el8.noarch.rpm perl-Pod-Usage-1.69-395.el8.noarch.rpm perl-Scalar-List-Utils-1.49-2.el8.x86_64.rpm perl-Socket-2.027-3.el8.x86_64.rpm perl-Storable-3.11-3.el8.x86_64.rpm perl-Term-ANSIColor-4.06-396.el8.noarch.rpm perl-Term-Cap-1.17-395.el8.noarch.rpm perl-Text-ParseWords-3.30-395.el8.noarch.rpm perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch.rpm perl-threads-2.21-2.el8.x86_64.rpm perl-threads-shared-1.58-2.el8.x86_64.rpm perl-Time-Local-1.280-1.el8.noarch.rpm perl-Unicode-Normalize-1.25-396.el8.x86_64.rpm policycoreutils-python-utils-2.9-20.el8.noarch.rpm python3-audit-3.0.7-4.el8.x86_64.rpm python3-libsemanage-2.9-9.el8.x86_64.rpm python3-policycoreutils-2.9-20.el8.noarch.rpm python3-setools-4.3.0-3.el8.x86_64.rpm ../../AppStream/Packages/frr-7.5.1-4.el8.x86_64.rpm ../../AppStream/Packages/frr-selinux-7.5.1-4.el8.noarch.rpm ../../AppStream/Packages/libyang-1.0.184-1.el8.x86_64.rpm ../../AppStream/Packages/mariadb-connector-c-3.1.11-2.el8_3.x86_64.rpm ../../AppStream/Packages/mariadb-connector-c-config-3.1.11-2.el8_3.noarch.rpm ../../AppStream/Packages/net-snmp-5.8-25.el8.x86_64.rpm ../../AppStream/Packages/net-snmp-agent-libs-5.8-25.el8.x86_64.rpm ../../AppStream/Packages/perl-Digest-1.17-395.el8.noarch.rpm ../../AppStream/Packages/perl-Digest-MD5-2.55-396.el8.x86_64.rpm ../../AppStream/Packages/perl-IO-Socket-IP-0.39-5.el8.noarch.rpm ../../AppStream/Packages/perl-IO-Socket-SSL-2.066-4.module+el8.3.0+6446+594cad75.noarch.rpm ../../AppStream/Packages/perl-libnet-3.11-3.el8.noarch.rpm ../../AppStream/Packages/perl-Mozilla-CA-20160104-7.module+el8.3.0+6498+9eecfe51.noarch.rpm ../../AppStream/Packages/perl-Net-SSLeay-1.88-2.module+el8.6.0+13392+f0897f98.x86_64.rpm ../../AppStream/Packages/perl-URI-1.73-3.el8.noarch.rpm 
%end

# tail -8 mnt/sysimage/var/log/kickstart_post_nochroot.log
checkpolicy-2.9-1.el8                 ########################################
python3-policycoreutils-2.9-20.el8    ########################################
policycoreutils-python-utils-2.9-20.el########################################
frr-selinux-7.5.1-4.el8               ########################################
warning: %post(frr-selinux-7.5.1-4.el8.noarch) scriptlet failed, exit status 255
frr-7.5.1-4.el8                       ########################################
Running in chroot, ignoring request: daemon-reload
Running in chroot, ignoring request: daemon-reload
---

- When I installed frr package post OS installation, using "dnf install frr" command, the post script of frr-selinux package did not fail.

- Installation is only failing when we add frr package in %packages section, not when we try installing the package in %post section.

- The only problem installing the package in the %post section is the post script of the frr-selinux package is failing. 


1. Can the customer try to install the package via the %post section in the kickstart? Please forgive me, I am not very skilled with kickstart but I was thinking that something like this could help:

%post
dnf -y install frr
%end

As far as I can tell, this should not end in error since even though the error is visible, the whole process ends with 0. Testing on latest RHEL8:
# dnf -y install frr
...
Installing       : frr-selinux-7.5.1-5.el8.noarch                                                               9/10 
  Running scriptlet: frr-selinux-7.5.1-5.el8.noarch                                                               9/10 
warning: %post(frr-selinux-7.5.1-5.el8.noarch) scriptlet failed, exit status 255

Error in POSTIN scriptlet in rpm package frr-selinux
  Running scriptlet: frr-7.5.1-5.el8.x86_64                                                                      10/10 
  Installing       : frr-7.5.1-5.el8.x86_64                                                                      10/10 
  Running scriptlet: frr-7.5.1-5.el8.x86_64                                                                      10/10 
...
Installed products updated.
...
# echo $?
0

==> Even if we install the frr package in the %post section using dnf command, the post script of frr-selinux package will fail, however the installation will not fail/abort. I will give it a try and will get back to you.

2. Please ask the customer, if they require the fix in RHEL-8.7.0. As I mentioned above, I have a fix planned for RHEL-8.8.0 now.
==> I will check with cu and update you.

Comment 3 Michal Ruprich 2022-11-30 08:15:35 UTC

Hi Mahesh,

thank you for the feedback. It is as I suspected. I would like to give a full explanation about the situation here.

So in RHEL-8.7.0 I've added new SELinux policy for FRR resulting in the aforementioned frr-selinux sub-package. This meant that every file installed or created by FRR needed to be relabeled including files in /var/tmp/frr and /var/run/frr. These files had tmp_t and needed tmp_frr_t. But in a situation when a user is upgrading from previous version of RHEL, these files might be present in the system since FRR might be running before the upgrade. The result of upgrade would be a couple of AVCs since the newly labeled FRR binaries cannot properly access files with tmp_t. This is why I added those two lines with restorecon in the specfile to prevent AVCs. What I did not realize was, that this needed to be under a condition that the install is an upgrade, not a fresh install because with fresh install, the files do not exist yet. To demonstrate, I am using the same line on a system without FRR:

# restorecon -R /var/tmp/frr 
restorecon: lstat(/var/tmp/frr) failed: No such file or directory
# echo $?
255

This is the failure that causes the whole %post to return 255 and thus fail. But the good thing here is, that it does not prevent the package from being installed as shown on RHEL-8.7.0 example(the version of RHEL where I created this error):
# dnf -y install frr
...
Running scriptlet: frr-selinux-7.5.1-4.el8.noarch                                                               9/10 
  Installing       : frr-selinux-7.5.1-4.el8.noarch                                                               9/10 
  Running scriptlet: frr-selinux-7.5.1-4.el8.noarch                                                               9/10 
warning: %post(frr-selinux-7.5.1-4.el8.noarch) scriptlet failed, exit status 255

Error in POSTIN scriptlet in rpm package frr-selinux
  Running scriptlet: frr-7.5.1-4.el8.x86_64                                                                      10/10 
  Installing       : frr-7.5.1-4.el8.x86_64                                                                      10/10 
  Running scriptlet: frr-7.5.1-4.el8.x86_64
...
Installed products updated.
...
Complete!
# rpm -qa | grep frr
frr-7.5.1-4.el8.x86_64
frr-selinux-7.5.1-4.el8.noarch

So the gist is that even though I understand that the error should not be there, at least in the %post section it does not disrupt the install and you(or the customer) can just ignore it.

Hope this helps.

Regards,
Michal

Comment 15 errata-xmlrpc 2023-05-16 08:30:22 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: frr security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:2801

Note You need to log in before you can comment on or make changes to this bug.