I have seen other similar dnf errors recently, but this is appearing in the dnf output after an attempt to update to kernel-6.12.11 ended up needing a lot of manual intervention with rpm and dracut and hand editing of various grubby entries, all the dnf errors were similar in particular the /usr/bin/rpm-ostree errors below: >>> Running pre-uninstall scriptlet: kernel-core-0:6.12.10-200.fc41.x86_64 >>> Error in pre-uninstall scriptlet: kernel-core-0:6.12.10-200.fc41.x86_64 >>> Scriptlet output: >>> /usr/lib/kernel/install.d/05-rpmostree.install: line 3: /usr/bin/rpm-ostree: Permission denied >>> /usr/lib/kernel/install.d/05-rpmostree.install: line 3: /usr/bin/rpm-ostree: Success >>> /usr/lib/kernel/install.d/05-rpmostree.install failed with exit status 126. >>> >>> [RPM] %preun(kernel-core-6.12.10-200.fc41.x86_64) scriptlet failed, exit status 126 The kernel update script I use is run under sudo and requests password as expected. The rpm-ostree script called is this: cat /usr/lib/kernel/install.d/05-rpmostree.install #!/usr/bin/bash # This is the hook that has kernel-install call into rpm-ostree kernel-install exec /usr/bin/rpm-ostree kernel-install "$@" The files mentioned have these permissions: ll /usr/bin/kernel-install -rwxr-xr-x. 1 root root 60200 Jan 8 00:00 /usr/bin/kernel-install bdm@deangelis:~$ ll /usr/lib/kernel/install.d/05-rpmostree.install -rwxr-xr-x. 1 root root 140 Jan 24 00:00 /usr/lib/kernel/install.d/05-rpmostree.install Another clue is that the kernel-core-6.12.11 package is listed 3 times: rpm -qa | grep kernel-core-6.12.11 kernel-core-6.12.11-200.fc41.x86_64 kernel-core-6.12.11-200.fc41.x86_64 kernel-core-6.12.11-200.fc41.x86_64 I cannot find a way to correct this, dnf doesn't produce any output when using: sudo dnf repoquery --duplicates and sudo dnf remove duplicates also produces no output. The same error is occurring where for some reason any dnf transaction appears to want to remove kernel-6.12.10 as well as perform the changes expected. This is the error seen above. I have tried sudo rpm --rebuilddb, it has made no difference. Reproducible: Always Steps to Reproduce: 1. Run sudo dnf update with any arguments added 2. 3. Actual Results: Errors from rpm-ostree Expected Results: No errors, which until about 3 or 4 days ago was normal.
Can you share the kernel update script you are using? Also is this a coreos, silverblue or bootc environment? Are you upgrading the kernel with DNF in a container build or your script is doing something when the system is booted? In 2025.2 we introduced a kernel-install integration which should allow you to use (in a container build) dnf to upgrade your kernel.
Here is the script, it's nothing fancy or clever, arguments are supplied as 6.12.11 200 fc41 in the case of this problem #!/bin/sh sudo dnf -y upgrade \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-core-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-devel-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-devel-matched-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-modules-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-modules-core-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-modules-extra-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-uki-virt-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-uki-virt-addons-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-tools-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/kernel-tools-libs-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/libperf-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/perf-$1-$2.$3.x86_64.rpm \ https://kojipkgs.fedoraproject.org//packages/kernel/$1/$2.$3/x86_64/python3-perf-$1-$2.$3.x86_64.rpm The system is a bare-metal x86_64 system running F41, updated from F40 for F41 beta. I am not at all experienced with any of the container stuff, so you may need to spell out what you need to know. The problem began before the 2025.2 version was installed, but I don't know if it preceded 2025.1 or not.
Can I get the output of: ls -ll /usr/bin/kernel-install* cat /etc/os-release and cat /usr/lib/kernel/install.conf
OK, please see below: $ ls -ll /usr/bin/kernel-install* -rwxr-xr-x. 1 root root 60200 Jan 8 00:00 /usr/bin/kernel-install $ cat /etc/os-release NAME="Fedora Linux" VERSION="41 (Workstation Edition)" RELEASE_TYPE=stable ID=fedora VERSION_ID=41 VERSION_CODENAME="" PLATFORM_ID="platform:f41" PRETTY_NAME="Fedora Linux 41 (Workstation Edition)" ANSI_COLOR="0;38;2;60;110;180" LOGO=fedora-logo-icon CPE_NAME="cpe:/o:fedoraproject:fedora:41" DEFAULT_HOSTNAME="fedora" HOME_URL="https://fedoraproject.org/" DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora/f41/system-administrators-guide/" SUPPORT_URL="https://ask.fedoraproject.org/" BUG_REPORT_URL="https://bugzilla.redhat.com/" REDHAT_BUGZILLA_PRODUCT="Fedora" REDHAT_BUGZILLA_PRODUCT_VERSION=41 REDHAT_SUPPORT_PRODUCT="Fedora" REDHAT_SUPPORT_PRODUCT_VERSION=41 SUPPORT_END=2025-12-15 VARIANT="Workstation Edition" VARIANT_ID=workstation $ cat /usr/lib/kernel/install.conf # This file is part of systemd. # # systemd is free software; you can redistribute it and/or modify it under the # terms of the GNU Lesser General Public License as published by the Free # Software Foundation; either version 2.1 of the License, or (at your option) # any later version. # # See kernel-install(8) for details. #layout=bls|other|... #initrd_generator=dracut|... #uki_generator=ukify|...
/usr/lib/kernel/install.d/05-rpmostree.install was introduced in 2025.1, by downgrading to 2024.9 you should not hit this anymore. Both 2025.1 and 2025.2 of rpm-ostree should not make it to stable, I am guessing you have testing updates enabled or manually updated the rpm-ostree version to have gotten this update. Thanks for your report we need to investigate this a bit more to understand what is happening in this scenario.
/usr/lib/kernel/install.d/05-rpmostree.install: line 3: /usr/bin/rpm-ostree: Permission denied Also please: ls -al /usr/bin/rpm-ostree
Also please e.g.: grep rpm-ostree /var/log/audit.log journalctl -b --grep=rpm-ostree
Here we go: ls -al /usr/bin/rpm-ostree -rwxr-xr-x. 1 root root 15153648 Jan 24 00:00 /usr/bin/rpm-ostree $ grep rpm-ostree /var/log/audit.log grep: /var/log/audit.log: No such file or directory and the big one, but note that I have selinux=0 as a kernel argument: Here is a short excerpt with a wider window, which is still too narrow, but catches the path at least. Jan 25 20:01:00 deangelis.fenrir.org.uk audit[621700]: AVC avc: denied { entrypoint } for pid=621700 comm="05-rpmostree.in" path="/usr/bin/rpm-ostree" dev="dm-0" ino=119942042 scontext=unconfined_u:system_r:rpm_script_t:s0-s> Jan 25 20:01:03 deangelis.fenrir.org.uk setroubleshoot[621946]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /usr/bin/rpm-ostree. For complete SELinux messages run: sealert -l ab96b9a2-31f1-4181-b6b7> Jan 25 20:01:03 deangelis.fenrir.org.uk setroubleshoot[621946]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /usr/bin/rpm-ostree. $ journalctl -b --grep=rpm-ostree Jan 24 22:46:39 deangelis.fenrir.org.uk audit[21329]: AVC avc: denied { entrypoint } for pid=21329 comm="05-rpmostree.in" path="/usr/bin> Jan 24 22:46:42 deangelis.fenrir.org.uk setroubleshoot[21467]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /us> Jan 24 22:46:42 deangelis.fenrir.org.uk setroubleshoot[21467]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /us> ***** Plugin catchall (100. confidence) suggests ************************> If you believe that 05-rpmostree.in should be allowed entrypoint access on t> Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 25 14:57:25 deangelis.fenrir.org.uk audit[499313]: AVC avc: denied { entrypoint } for pid=499313 comm="05-rpmostree.in" path="/usr/b> Jan 25 14:57:29 deangelis.fenrir.org.uk setroubleshoot[499341]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /u> Jan 25 14:57:29 deangelis.fenrir.org.uk setroubleshoot[499341]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /u> ***** Plugin catchall (100. confidence) suggests ***********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on > Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 25 20:01:00 deangelis.fenrir.org.uk audit[621700]: AVC avc: denied { entrypoint } for pid=621700 comm="05-rpmostree.in" path="/usr/b> Jan 25 20:01:03 deangelis.fenrir.org.uk setroubleshoot[621946]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /u> Jan 25 20:01:03 deangelis.fenrir.org.uk setroubleshoot[621946]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /u> ***** Plugin catchall (100. confidence) suggests ***********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on > Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 25 23:05:37 deangelis.fenrir.org.uk audit[691013]: AVC avc: denied { entrypoint } for pid=691013 comm="05-rpmostree.in" path="/usr/b> Jan 25 23:05:41 deangelis.fenrir.org.uk setroubleshoot[691028]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /u> Jan 25 23:05:41 deangelis.fenrir.org.uk setroubleshoot[691028]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /u> ***** Plugin catchall (100. confidence) suggests ***********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on > Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 26 15:51:54 deangelis.fenrir.org.uk audit[1200130]: AVC avc: denied { entrypoint } for pid=1200130 comm="05-rpmostree.in" path="/usr> Jan 26 15:51:58 deangelis.fenrir.org.uk setroubleshoot[1200160]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> Jan 26 15:51:58 deangelis.fenrir.org.uk setroubleshoot[1200160]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> ***** Plugin catchall (100. confidence) suggests **********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on> Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 26 17:27:39 deangelis.fenrir.org.uk sudo[1261152]: bdm : TTY=pts/0 ; PWD=/home/bdm ; USER=root ; COMMAND=/usr/bin/dnf reinstall ht> Jan 26 17:27:55 deangelis.fenrir.org.uk [RPM][1261218]: erase rpm-ostree-2025.2-1.fc41.x86_64: success Jan 26 17:27:55 deangelis.fenrir.org.uk [RPM][1261218]: erase rpm-ostree-libs-2025.2-1.fc41.x86_64: success Jan 26 17:27:55 deangelis.fenrir.org.uk [RPM][1261218]: install rpm-ostree-libs-2025.2-1.fc41.x86_64: success Jan 26 17:27:55 deangelis.fenrir.org.uk [RPM][1261218]: install rpm-ostree-2025.2-1.fc41.x86_64: success Jan 26 17:27:56 deangelis.fenrir.org.uk [RPM][1261218]: erase rpm-ostree-2025.2-1.fc41.x86_64: success Jan 26 17:27:56 deangelis.fenrir.org.uk audit[1261361]: AVC avc: denied { entrypoint } for pid=1261361 comm="05-rpmostree.in" path="/usr> Jan 26 17:27:56 deangelis.fenrir.org.uk [RPM][1261218]: erase rpm-ostree-libs-2025.2-1.fc41.x86_64: success Jan 26 17:27:58 deangelis.fenrir.org.uk [RPM][1261218]: install rpm-ostree-libs-2025.2-1.fc41.x86_64: success Jan 26 17:27:58 deangelis.fenrir.org.uk [RPM][1261218]: install rpm-ostree-2025.2-1.fc41.x86_64: success Jan 26 17:27:58 deangelis.fenrir.org.uk audit[1261218]: SOFTWARE_UPDATE pid=1261218 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:un> Jan 26 17:27:58 deangelis.fenrir.org.uk audit[1261218]: SOFTWARE_UPDATE pid=1261218 uid=0 auid=1000 ses=3 subj=unconfined_u:unconfined_r:un> Jan 26 17:28:00 deangelis.fenrir.org.uk setroubleshoot[1261809]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> Jan 26 17:28:00 deangelis.fenrir.org.uk setroubleshoot[1261809]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> ***** Plugin catchall (100. confidence) suggests **********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on> Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 26 17:28:56 deangelis.fenrir.org.uk audit[1262649]: AVC avc: denied { entrypoint } for pid=1262649 comm="05-rpmostree.in" path="/usr> Jan 26 17:29:00 deangelis.fenrir.org.uk setroubleshoot[1262663]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> Jan 26 17:29:00 deangelis.fenrir.org.uk setroubleshoot[1262663]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> ***** Plugin catchall (100. confidence) suggests **********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on> Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 26 23:22:18 deangelis.fenrir.org.uk audit[1420060]: AVC avc: denied { entrypoint } for pid=1420060 comm="05-rpmostree.in" path="/usr> Jan 26 23:22:21 deangelis.fenrir.org.uk setroubleshoot[1420083]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> Jan 26 23:22:21 deangelis.fenrir.org.uk setroubleshoot[1420083]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> ***** Plugin catchall (100. confidence) suggests **********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on> Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Jan 26 23:25:33 deangelis.fenrir.org.uk audit[1422176]: AVC avc: denied { entrypoint } for pid=1422176 comm="05-rpmostree.in" path="/usr> Jan 26 23:25:36 deangelis.fenrir.org.uk setroubleshoot[1422204]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> Jan 26 23:25:36 deangelis.fenrir.org.uk setroubleshoot[1422204]: SELinux is preventing 05-rpmostree.in from entrypoint access on the file /> ***** Plugin catchall (100. confidence) suggests **********************> If you believe that 05-rpmostree.in should be allowed entrypoint access on> Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c '05-rpmostree.in' --raw | audit2allow -M my-05rpmostreein # semodule -X 300 -i my-05rpmostreein.pp Do you need any more before I revert the rpm-ostree version to 2024.9 ?
> Here is a short excerpt with a wider window, which is still too narrow, but catches the path at least. Use e.g. `journalctl --no-pager` to fix that. > Do you need any more before I revert the rpm-ostree version to 2024.9 ? No that's fine, it's enough. Thanks for reporting this!
rpm-ostree 2025.3 will scope this down right now to just rawhide and c10s, which is not a fix but will reduce the blast radius a lot. First, I think we should forward this to the selinux-policy maintainers and get them to just allow this. However, we can't *rely* on that happening quickly, so I think we should also change our entrypoint shell script to basically: if !grep -q layout=ostree /usr/lib/kernel/install.conf; then exit 0; fi or so...basically reimplementing the trivial check in the existing shell script trampoline we have. Alternatively, we could produce a new Rust binary from our existing code but that has a relatively higher build time/mechanics overhead.
FEDORA-2025-4c48f77d75 (rpm-ostree-2025.4-2.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-4c48f77d75
Hi Brian, Do you mind installing the new updated rpm-ostree https://bodhi.fedoraproject.org/updates/FEDORA-2025-4c48f77d75 I tested the changes here: https://github.com/coreos/rpm-ostree/pull/5262#issuecomment-2623408953 and looks good, but wanted to make sure there was nothing else happening in case your environment is somehow different from my test environment.
Since I reverted to rpm-ostree-2024.9 I have seen some further problems, as shown in this bug: https://bugzilla.redhat.com/show_bug.cgi?id=2342379 So something else is broken that I have not yet been able to fix, the other bug is listed against dracut but I genuinely am not sure why it has happened. I can hack the kernel update so that the system boots, but it used to work simply with updating the kernel rpms. I can probably try out the update you mention in comment 12 but some assistance in fixing the previous breakage would be appreciated.
I have now installed the new rpm-ostree-2025.4 packages, so we'll see if anything else happens on the next kernel packages update.
Also I realised that somehow, and I don't know when, the selinux setting on this system that I thought was disabled is actually enforcing. That didn't help.
FEDORA-2025-4c48f77d75 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-4c48f77d75` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-4c48f77d75 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-3dfc505946 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-3dfc505946` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-3dfc505946 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-3dfc505946 (rpm-ostree-2025.5-2.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.