2164752 – SELinux is preventing rpmdb_migrate from 'map' accesses on the file /usr/bin/bash (rpmdb-migrate service fails on upgrade to F38)

Bug 2164752 - SELinux is preventing rpmdb_migrate from 'map' accesses on the file /usr/bin/bash (rpmdb-migrate service fails on upgrade to F38)

Summary: SELinux is preventing rpmdb_migrate from 'map' accesses on the file /usr/bin/...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	medium
Severity:	unspecified
Target Milestone:	---
Assignee:	Zdenek Pytela
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	abrt_hash:7805be32371294f1632f27e9942...
Duplicates (6):	2166633 2166897 2173363 2173952 2174567 2175539 (view as bug list)
Depends On:
Blocks:	F38BetaFreezeException F38FinalBlocker
TreeView+	depends on / blocked

Reported:	2023-01-26 11:10 UTC by Neil Darlow
Modified:	2023-03-09 22:53 UTC (History)
CC List:	15 users (show)
Fixed In Version:	selinux-policy-37.19-1.fc37 selinux-policy-38.8-2.fc38
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2023-03-09 22:53:20 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	fedora-selinux selinux-policy pull 1584	0	None	Merged	Additional support for rpmdb_migrate	2023-02-03 15:18:36 UTC

Description Neil Darlow 2023-01-26 11:10:14 UTC

Description of problem:
Appears after login to DE on fedora 37 Workstation Cinnamon spin after dnf system-upgrade from version 36.

Upgrade went smoothly and post-upgrade tasks required no additional action other than manually removing previous version's kernel packages.
SELinux is preventing rpmdb_migrate from 'map' accesses on the file /usr/bin/bash.

*****  Plugin catchall_boolean (89.3 confidence) suggests   ******************

If you want to allow domain to can mmap files
Then you must tell SELinux about this by enabling the 'domain_can_mmap_files' boolean.

Do
setsebool -P domain_can_mmap_files 1

*****  Plugin catchall (11.6 confidence) suggests   **************************

If you believe that rpmdb_migrate should be allowed map access on the bash file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'rpmdb_migrate' --raw | audit2allow -M my-rpmdbmigrate
# semodule -X 300 -i my-rpmdbmigrate.pp

Additional Information:
Source Context                system_u:system_r:rpmdb_t:s0
Target Context                system_u:object_r:shell_exec_t:s0
Target Objects                /usr/bin/bash [ file ]
Source                        rpmdb_migrate
Source Path                   rpmdb_migrate
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           bash-5.2.15-1.fc37.x86_64
SELinux Policy RPM            selinux-policy-targeted-37.18-1.fc37.noarch
Local Policy RPM              selinux-policy-targeted-37.18-1.fc37.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     (removed)
Platform                      Linux (removed) 6.1.7-200.fc37.x86_64 #1 SMP
                              PREEMPT_DYNAMIC Wed Jan 18 17:11:49 UTC 2023
                              x86_64 x86_64
Alert Count                   2
First Seen                    2023-01-26 09:02:00 GMT
Last Seen                     2023-01-26 10:57:01 GMT
Local ID                      9dcf2199-7f19-4b22-98a0-c35db5583338

Raw Audit Messages
type=AVC msg=audit(1674730621.159:170): avc:  denied  { map } for  pid=969 comm="rpmdb_migrate" path="/usr/bin/bash" dev="dm-4" ino=54100154 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0


Hash: rpmdb_migrate,rpmdb_t,shell_exec_t,file,map

Version-Release number of selected component:
selinux-policy-targeted-37.18-1.fc37.noarch

Additional info:
component:      selinux-policy
reporter:       libreport-2.17.4
hashmarkername: setroubleshoot
kernel:         6.1.7-200.fc37.x86_64
type:           libreport

Comment 1 Zdenek Pytela 2023-01-26 12:21:56 UTC

Neil,

Do you know exactly at which moment this denial appeared, or can you pair it with a particular log entry?
So far, rpmdb was not allowed to run a shell, so I cam curious what has changed.

Comment 2 Neil Darlow 2023-01-26 12:48:29 UTC

From audit.log (3 preceeding and 3 following lines around reported failure:

type=SERVICE_START msg=audit(1674651297.514:170): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-update-utmp comm="systemd" exe="/usr/lib/systemd/systemd" hostname=
? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_START msg=audit(1674651297.529:171): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-oomd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=
? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_START msg=audit(1674651297.559:172): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-resolved comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? a
ddr=? terminal=? res=success'^]UID="root" AUID="unset"
type=BPF msg=audit(1674651297.564:173): prog-id=66 op=LOAD
type=AVC msg=audit(1674651297.576:174): avc:  denied  { map } for  pid=983 comm="rpmdb_migrate" path="/usr/bin/bash" dev="dm-4" ino=54100154 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
type=ANOM_ABEND msg=audit(1674651297.576:175): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:rpmdb_t:s0 pid=983 comm="rpmdb_migrate" exe="/usr/bin/bash" sig=11 res=1^]AUID="unset" UID="root" GID="root"
type=SERVICE_START msg=audit(1674651297.586:176): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=rpmdb-migrate comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'^]UID="root" AUID="unset"
type=SERVICE_START msg=audit(1674651297.594:177): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=dbus-broker comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_START msg=audit(1674651297.606:178): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=alsa-state comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"
type=SERVICE_START msg=audit(1674651297.611:179): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=irqbalance comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'^]UID="root" AUID="unset"

dm-4 is my hard drive sitting behind a lvm-cache as follows:

[root@dumbledore ~]# ls -l /dev/mapper
total 0
lrwxrwxrwx. 1 root root       7 Jan 26 12:36 cache-hdd -> ../dm-4
lrwxrwxrwx. 1 root root       7 Jan 26 12:36 cache-hdd_corig -> ../dm-3
lrwxrwxrwx. 1 root root       7 Jan 26 12:36 cache-nvme_cvol -> ../dm-0
lrwxrwxrwx. 1 root root       7 Jan 26 12:36 cache-nvme_cvol-cdata -> ../dm-1
lrwxrwxrwx. 1 root root       7 Jan 26 12:36 cache-nvme_cvol-cmeta -> ../dm-2

I hope this is of some use.

Comment 3 Neil Darlow 2023-01-26 13:01:26 UTC

Looks like rpm-migratedb.service executes /usr/lib/rpm/rpmdb_migrate which has a #!/usr/bin/bash shebang line.

Comment 4 Gus Wirth 2023-01-27 02:11:34 UTC

Same thing just happened to me. Upgraded from Fedora 36 to Fedora 37. Very first login after system rebooted from the upgrade. Using the KDE spin, but that doesn't seem to be a factor for something caused by rpmdb_migrate.

Comment 5 Milos Malik 2023-01-31 16:53:53 UTC

# touch /var/lib/rpm/.migratedb
# service rpmdb-migrate restart

----
type=PROCTITLE msg=audit(01/31/2023 11:49:43.819:490) : proctitle=(null) 
type=PATH msg=audit(01/31/2023 11:49:43.819:490) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=139843 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2023 11:49:43.819:490) : item=1 name=/usr/bin/bash inode=139964 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2023 11:49:43.819:490) : item=0 name=/usr/lib/rpm/rpmdb_migrate inode=159048 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpmdb_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:49:43.819:490) : cwd=/ 
type=SYSCALL msg=audit(01/31/2023 11:49:43.819:490) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x563f108cfad0 a1=0x563f107dcac0 a2=0x563f108b1af0 a3=0x563f0d73f010 items=3 ppid=1 pid=1442 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpmdb_migrate exe=/usr/bin/bash subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:49:43.819:490) : avc:  denied  { map } for  pid=1442 comm=rpmdb_migrate path=/usr/bin/bash dev="vda2" ino=139964 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0 
----

# rpm -qa selinux\* rpm\* | sort
rpm-4.18.0-10.fc38.x86_64
rpmautospec-rpm-macros-0.3.2-1.fc38.noarch
rpm-build-libs-4.18.0-10.fc38.x86_64
rpm-libs-4.18.0-10.fc38.x86_64
rpm-plugin-selinux-4.18.0-10.fc38.x86_64
rpm-plugin-systemd-inhibit-4.18.0-10.fc38.x86_64
rpm-sequoia-1.2.0-2.fc38.x86_64
rpm-sign-libs-4.18.0-10.fc38.x86_64
selinux-policy-38.5-2.fc38.noarch
selinux-policy-targeted-38.5-2.fc38.noarch
#

Comment 6 Milos Malik 2023-01-31 16:58:36 UTC

Following SELinux denials appeared in permissive mode:
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.532:494) : proctitle=/usr/bin/bash /usr/lib/rpm/rpmdb_migrate 
type=PATH msg=audit(01/31/2023 11:56:27.532:494) : item=2 name=/lib64/ld-linux-x86-64.so.2 inode=139843 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2023 11:56:27.532:494) : item=1 name=/usr/bin/bash inode=139964 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2023 11:56:27.532:494) : item=0 name=/usr/lib/rpm/rpmdb_migrate inode=159048 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpmdb_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.532:494) : cwd=/ 
type=EXECVE msg=audit(01/31/2023 11:56:27.532:494) : argc=2 a0=/usr/bin/bash a1=/usr/lib/rpm/rpmdb_migrate 
type=SYSCALL msg=audit(01/31/2023 11:56:27.532:494) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x563f108fb790 a1=0x563f10993330 a2=0x563f1088e470 a3=0x563f0d73f010 items=3 ppid=1 pid=1477 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpmdb_migrate exe=/usr/bin/bash subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.532:494) : avc:  denied  { execute } for  pid=1477 comm=rpmdb_migrate path=/usr/bin/bash dev="vda2" ino=139964 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/31/2023 11:56:27.532:494) : avc:  denied  { map } for  pid=1477 comm=rpmdb_migrate path=/usr/bin/bash dev="vda2" ino=139964 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.537:495) : proctitle=/usr/bin/bash /usr/lib/rpm/rpmdb_migrate 
type=PATH msg=audit(01/31/2023 11:56:27.537:495) : item=0 name=/usr/bin/rpm inode=158893 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.537:495) : cwd=/ 
type=SYSCALL msg=audit(01/31/2023 11:56:27.537:495) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557499ded720 a2=0x7ffd734674c0 a3=0x0 items=1 ppid=1477 pid=1478 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpmdb_migrate exe=/usr/bin/bash subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.537:495) : avc:  denied  { getattr } for  pid=1478 comm=rpmdb_migrate path=/usr/bin/rpm dev="vda2" ino=158893 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.538:496) : proctitle=/usr/bin/bash /usr/lib/rpm/rpmdb_migrate 
type=PATH msg=audit(01/31/2023 11:56:27.538:496) : item=0 name=/usr/bin/rpm inode=158893 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.538:496) : cwd=/ 
type=SYSCALL msg=audit(01/31/2023 11:56:27.538:496) : arch=x86_64 syscall=access success=yes exit=0 a0=0x557499ded720 a1=X_OK a2=0x0 a3=0x0 items=1 ppid=1477 pid=1478 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpmdb_migrate exe=/usr/bin/bash subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.538:496) : avc:  denied  { execute } for  pid=1478 comm=rpmdb_migrate name=rpm dev="vda2" ino=158893 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.538:497) : proctitle=/usr/bin/bash /usr/lib/rpm/rpmdb_migrate 
type=PATH msg=audit(01/31/2023 11:56:27.538:497) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139843 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2023 11:56:27.538:497) : item=0 name=/usr/bin/rpm inode=158893 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.538:497) : cwd=/ 
type=EXECVE msg=audit(01/31/2023 11:56:27.538:497) : argc=3 a0=rpm a1=--eval a2=%_dbpath 
type=SYSCALL msg=audit(01/31/2023 11:56:27.538:497) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x557499ded720 a1=0x557499ded290 a2=0x557499de9d60 a3=0x8 items=2 ppid=1477 pid=1478 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpm exe=/usr/bin/rpm subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.538:497) : avc:  denied  { map } for  pid=1478 comm=rpm path=/usr/bin/rpm dev="vda2" ino=158893 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/31/2023 11:56:27.538:497) : avc:  denied  { execute_no_trans } for  pid=1478 comm=rpmdb_migrate path=/usr/bin/rpm dev="vda2" ino=158893 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/31/2023 11:56:27.538:497) : avc:  denied  { open } for  pid=1478 comm=rpmdb_migrate path=/usr/bin/rpm dev="vda2" ino=158893 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_exec_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.549:498) : proctitle=/usr/bin/bash /usr/lib/rpm/rpmdb_migrate 
type=PATH msg=audit(01/31/2023 11:56:27.549:498) : item=0 name=/var/lib/rpm inode=563 dev=fc:02 mode=link,777 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.549:498) : cwd=/ 
type=SYSCALL msg=audit(01/31/2023 11:56:27.549:498) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557499dede30 a2=0x7ffd73467fa0 a3=0x100 items=1 ppid=1 pid=1477 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpmdb_migrate exe=/usr/bin/bash subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.549:498) : avc:  denied  { getattr } for  pid=1477 comm=rpmdb_migrate path=/var/lib/rpm dev="vda2" ino=563 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=lnk_file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.549:499) : proctitle=/usr/bin/bash /usr/lib/rpm/rpmdb_migrate 
type=PATH msg=audit(01/31/2023 11:56:27.549:499) : item=0 name=/usr/bin/rm inode=148137 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.549:499) : cwd=/ 
type=SYSCALL msg=audit(01/31/2023 11:56:27.549:499) : arch=x86_64 syscall=access success=yes exit=0 a0=0x557499ded9f0 a1=X_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=1477 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpmdb_migrate exe=/usr/bin/bash subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.549:499) : avc:  denied  { execute } for  pid=1477 comm=rpmdb_migrate name=rm dev="vda2" ino=148137 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.551:500) : proctitle=rm -v /var/lib/rpm/.migratedb 
type=PATH msg=audit(01/31/2023 11:56:27.551:500) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=139843 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=PATH msg=audit(01/31/2023 11:56:27.551:500) : item=0 name=/usr/bin/rm inode=148137 dev=fc:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.551:500) : cwd=/ 
type=EXECVE msg=audit(01/31/2023 11:56:27.551:500) : argc=3 a0=rm a1=-v a2=/var/lib/rpm/.migratedb 
type=SYSCALL msg=audit(01/31/2023 11:56:27.551:500) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x557499ded9f0 a1=0x557499def000 a2=0x557499de9d60 a3=0x8 items=2 ppid=1477 pid=1479 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rm exe=/usr/bin/rm subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.551:500) : avc:  denied  { map } for  pid=1479 comm=rm path=/usr/bin/rm dev="vda2" ino=148137 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
type=AVC msg=audit(01/31/2023 11:56:27.551:500) : avc:  denied  { execute_no_trans } for  pid=1479 comm=rpmdb_migrate path=/usr/bin/rm dev="vda2" ino=148137 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=1 
----
type=PROCTITLE msg=audit(01/31/2023 11:56:27.553:501) : proctitle=rm -v /var/lib/rpm/.migratedb 
type=PATH msg=audit(01/31/2023 11:56:27.553:501) : item=0 name=/var/lib/rpm/.migratedb inode=202090 dev=fc:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=unconfined_u:object_r:rpm_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 
type=CWD msg=audit(01/31/2023 11:56:27.553:501) : cwd=/ 
type=SYSCALL msg=audit(01/31/2023 11:56:27.553:501) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x564aba690910 a2=0x564aba690880 a3=0x100 items=1 ppid=1477 pid=1479 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rm exe=/usr/bin/rm subj=system_u:system_r:rpmdb_t:s0 key=(null) 
type=AVC msg=audit(01/31/2023 11:56:27.553:501) : avc:  denied  { read } for  pid=1479 comm=rm name=rpm dev="vda2" ino=563 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:rpm_var_lib_t:s0 tclass=lnk_file permissive=1 
----

Comment 8 Flo 2023-02-01 20:33:35 UTC

Similar problem has been detected:

This happened on first boot after upgrading from f36 to f37.

It (possibly) results in:

rpmdb-migrate.service - RPM database migration to /usr
     Loaded: loaded (/usr/lib/systemd/system/rpmdb-migrate.service; enabled; preset: enabled)
     Active: failed (Result: signal) since Wed 2023-02-01 21:26:51 CET; 5min ago
    Process: 10654 ExecStart=/usr/lib/rpm/rpmdb_migrate (code=killed, signal=SEGV)
   Main PID: 10654 (code=killed, signal=SEGV)
        CPU: 1ms

Feb 01 21:26:51 fedora systemd[1]: Starting rpmdb-migrate.service - RPM database migration to /usr...
Feb 01 21:26:51 fedora systemd[1]: rpmdb-migrate.service: Main process exited, code=killed, status=11/SEGV
Feb 01 21:26:51 fedora systemd[1]: rpmdb-migrate.service: Failed with result 'signal'.
Feb 01 21:26:51 fedora systemd[1]: Failed to start rpmdb-migrate.service - RPM database migration to /usr.






hashmarkername: setroubleshoot
kernel:         6.1.8-200.fc37.x86_64
package:        selinux-policy-targeted-37.18-1.fc37.noarch
reason:         SELinux is preventing rpmdb_migrate from 'map' accesses on the Datei /usr/bin/bash.
type:           libreport

Comment 9 Zdenek Pytela 2023-02-03 13:16:57 UTC

*** Bug 2166897 has been marked as a duplicate of this bug. ***

Comment 10 Zdenek Pytela 2023-02-03 13:45:52 UTC

*** Bug 2166633 has been marked as a duplicate of this bug. ***

Comment 11 Fedora Update System 2023-02-03 15:16:34 UTC

FEDORA-2023-7bf3639a5d has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d

Comment 12 Fedora Update System 2023-02-04 02:50:58 UTC

FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2023-7bf3639a5d`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-7bf3639a5d

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 13 Flo 2023-02-04 07:08:57 UTC

Pushed update fixes the problem for me. thank you!

Comment 14 Fedora Update System 2023-02-05 01:46:34 UTC

FEDORA-2023-7bf3639a5d has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 15 Zdenek Pytela 2023-02-27 15:58:08 UTC

*** Bug 2173363 has been marked as a duplicate of this bug. ***

Comment 16 Zdenek Pytela 2023-03-02 09:25:10 UTC

*** Bug 2174567 has been marked as a duplicate of this bug. ***

Comment 17 Zdenek Pytela 2023-03-02 09:25:43 UTC

*** Bug 2173952 has been marked as a duplicate of this bug. ***

Comment 18 Adam Williamson 2023-03-02 17:41:48 UTC

This needs fixing on F38. Proposing as a Final blocker as a violation of Final criterion "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present" together with Beta requirement "The upgraded system must meet all release criteria" - https://fedoraproject.org/wiki/Fedora_38_Beta_Release_Criteria#Upgrade_requirements and https://fedoraproject.org/wiki/Fedora_38_Final_Release_Criteria#System_services . Also proposing as a Beta FE as it would be good to ensure this migration works correctly for upgrades performed during the Beta freeze.

Comment 19 Adam Williamson 2023-03-04 02:53:19 UTC

+3 in https://pagure.io/fedora-qa/blocker-review/issue/1066 , marking accepted FE.

Comment 20 Fedora Update System 2023-03-04 19:54:15 UTC

FEDORA-2023-eaebcb91e7 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7

Comment 21 Ian Laurie 2023-03-04 23:09:11 UTC

This is fixed for me with https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7

Comment 22 Fedora Update System 2023-03-05 03:10:26 UTC

FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 testing repository.

You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2023-eaebcb91e7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 23 Michael Catanzaro 2023-03-07 20:52:45 UTC

*** Bug 2175539 has been marked as a duplicate of this bug. ***

Comment 24 Fedora Update System 2023-03-09 22:53:20 UTC

FEDORA-2023-eaebcb91e7 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.