Bug 2174592 - rpmdb-migrate.service fails on upgrade to Fedora 38 due to SELinux denial
Summary: rpmdb-migrate.service fails on upgrade to Fedora 38 due to SELinux denial
Keywords:
Status: CLOSED DUPLICATE of bug 2173952
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 38
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: F38BetaFreezeException F38FinalBlocker
TreeView+ depends on / blocked
 
Reported: 2023-03-01 22:25 UTC by Adam Williamson
Modified: 2023-03-01 22:49 UTC (History)
9 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-03-01 22:28:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Adam Williamson 2023-03-01 22:25:42 UTC
There's an openQA test which tests upgrades - it starts from a clean install of the Workstation edition of the previous release, then upgrades to the release under test. There's a follow-up test which checks that all services started successfully.

Since Fedora-38-20230218.n.0 that test has been failing for F38, because the service `rpmdb-migrate.service` fails. The logs show this:

Mar 01 05:31:11 fedora systemd[1]: Starting rpmdb-migrate.service - RPM database migration to /usr...
Mar 01 05:31:11 fedora systemd[1]: rpmdb-rebuild.service - RPM database rebuild was skipped because of an unmet condition check (ConditionPathExists=/usr/lib/sysimage/rpm/.rebuilddb).
Mar 01 05:31:11 fedora systemd[1]: systemd-pcrphase-sysinit.service - TPM2 PCR Barrier (Initialization) was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/StubPcrKernelImage-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f).
Mar 01 05:31:11 fedora audit[600]: AVC avc:  denied  { map } for  pid=600 comm="rpmdb_migrate" path="/usr/bin/bash" dev="vda3" ino=194594 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
Mar 01 05:31:11 fedora audit[600]: ANOM_ABEND auid=4294967295 uid=0 gid=0 ses=4294967295 subj=system_u:system_r:rpmdb_t:s0 pid=600 comm="rpmdb_migrate" exe="/usr/bin/bash" sig=11 res=1
Mar 01 05:31:11 fedora audit: BPF prog-id=61 op=LOAD
Mar 01 05:31:11 fedora systemd[1]: Starting dbus-broker.service - D-Bus System Message Bus...
Mar 01 05:31:11 fedora systemd[1]: rpmdb-migrate.service: Main process exited, code=killed, status=11/SEGV
Mar 01 05:31:11 fedora systemd[1]: rpmdb-migrate.service: Failed with result 'signal'.
Mar 01 05:31:11 fedora systemd[1]: Failed to start rpmdb-migrate.service - RPM database migration to /usr.

that is, it seems to fail because the process crashes, which is likely caused by the SELinux denial:

Mar 01 05:31:11 fedora audit[600]: AVC avc:  denied  { map } for  pid=600 comm="rpmdb_migrate" path="/usr/bin/bash" dev="vda3" ino=194594 scontext=system_u:system_r:rpmdb_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0

Proposing as a Final blocker as a violation of Final criterion "All system services present after installation with one of the release-blocking package sets must start properly, unless they require hardware which is not present" together with Beta requirement "The upgraded system must meet all release criteria" - https://fedoraproject.org/wiki/Fedora_38_Beta_Release_Criteria#Upgrade_requirements and https://fedoraproject.org/wiki/Fedora_38_Final_Release_Criteria#System_services .

Comment 1 Adam Williamson 2023-03-01 22:26:15 UTC
Also proposing as a Beta FE as it would be good to ensure this migration works correctly for upgrades performed during the Beta freeze.

Comment 2 Adam Williamson 2023-03-01 22:28:49 UTC
Sorry, just noticed lruzicka already reported this.

*** This bug has been marked as a duplicate of bug 2173952 ***


Note You need to log in before you can comment on or make changes to this bug.