Bug 2380156 - Chromium %post script breaks SELinux policy
Summary: Chromium %post script breaks SELinux policy
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Fedora
Classification: Fedora
Component: chromium
Version: 42
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Than Ngo
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-07-15 14:24 UTC by Marek Marczykowski
Modified: 2026-04-10 04:25 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2025-12-10 11:23:49 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)
Reproducer (2.77 KB, text/plain)
2025-08-01 13:49 UTC, Marek Marczykowski 		no flags Details
View All

Description Marek Marczykowski 2025-07-15 14:24:43 UTC 
When both chromium and selinux-policy(-targeted) updates are part of the same transaction, the chromium %post script triggers loading half-assembled policy.
Especially, this loads newly installed policy, before its modules are rebuilt in %posttrans of selinux-policy-targeted (the `semodule -B` call), basically loading the policy without those modules (invalidating contexts defined there).

If a process involved in running the update has strict policy defined in a module, it gets denied most of the operations, basically interrupting the update. Interrupted update transaction is not a great outcome, to say mildly...
This happens when using Fedora 42 (41 too) on Qubes OS, but I believe it affects few other configurations too.

Reproducible: Always

Steps to Reproduce:
1. Get fedora-42-xfce template on Qubes OS
2. Install (older?) chromium package
3. Try installing updates that include both chromium and selinux-policy(-targeted) packages.
Actual Results:
Update crashes in the middle, just after updating chromium. Exact messages include:
```
[587333.301807] SELinux:  Converting 474 SID table entries...
[587333.301917] SELinux:  Context system_u:object_r:container_unit_file_t:s0 became invalid (unmapped).
[587333.302066] SELinux:  Context system_u:object_r:qubes_qubesdb_daemon_exec_t:s0 became invalid (unmapped).
[587333.302101] SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0 became invalid (unmapped).
[587333.302141] SELinux:  Context system_u:object_r:qubes_var_run_t:s0 became invalid (unmapped).
[587333.302168] SELinux:  Context system_u:object_r:qubes_qubesdb_socket_t:s0 became invalid (unmapped).
[587333.302386] SELinux:  Context system_u:object_r:container_runtime_exec_t:s0 became invalid (unmapped).
[587333.303044] SELinux:  Context system_u:system_r:container_runtime_t:s0 became invalid (unmapped).
[587333.303075] SELinux:  Context system_u:object_r:container_var_run_t:s0 became invalid (unmapped).
[587333.303110] SELinux:  Context system_u:object_r:qubes_meminfo_writer_exec_t:s0 became invalid (unmapped).
[587333.303135] SELinux:  Context system_u:system_r:qubes_meminfo_writer_t:s0 became invalid (unmapped).
[587333.303162] SELinux:  Context system_u:object_r:qubes_meminfo_writer_var_run_t:s0 became invalid (unmapped).
[587333.303367] SELinux:  Context system_u:object_r:qubes_qrexec_agent_exec_t:s0 became invalid (unmapped).
[587333.303454] SELinux:  Context system_u:object_r:qubes_qrexec_socket_t:s0 became invalid (unmapped).
[587333.303650] SELinux:  Context system_u:system_r:qubes_qubesdb_daemon_t:s0-s0:c0.c1023 became invalid (unmapped).
[587333.303760] SELinux:  Context unconfined_u:object_r:qubes_var_run_t:s0 became invalid (unmapped).
[587333.309880] SELinux:  policy capability network_peer_controls=1
[587333.309906] SELinux:  policy capability open_perms=1
[587333.309920] SELinux:  policy capability extended_socket_class=1
[587333.309944] SELinux:  policy capability always_check_network=0
[587333.309960] SELinux:  policy capability cgroup_seclabel=1
[587333.309974] SELinux:  policy capability nnp_nosuid_transition=1
[587333.309994] SELinux:  policy capability genfs_seclabel_symlinks=1
[587333.310010] SELinux:  policy capability ioctl_skip_cloexec=0
[587333.310028] SELinux:  policy capability userspace_initial_context=0
```

Expected Results:
No crash, policy gets loaded only after it's complete (in the %posttrans, or wherever selinux-policy-targeted package decides it).

Additional Information:
References to Qubes OS reports:
- https://forum.qubes-os.org/t/update-borked-a-fedora-template/34788/37
- https://github.com/QubesOS/qubes-issues/issues/10054
Comment 1 Than Ngo 2025-07-22 09:54:20 UTC 
I tried to reproduce your problem by installing updates to the new selinux-policy(-targeted) packages created for testing purposes, as well as Chromium, and could not find any problem. It just works for me

Maybe it's a bug in QubesOS?
Comment 2 Marek Marczykowski 2025-08-01 13:48:45 UTC 
It's about transient state during update, services affected by it will have all operations denied (due to the policy being loaded without modules).
I've made a reproducer, let me attach it here.

Usage:
1. Get a system with updates for selinux-policy and chromium pending (Fedora live image is okay).
2. Build selinux-repro.spec. When installing build deps, be careful to not update selinux-policy just yet (I simply use --disablerepo=updates on live image)
3. Install selinux-repro and selinux-repro-selinux
4. Start selinux-repro service
5. Now update selinux-policy and chromium in a single transaction.
6. Observe that selinux-repro service crashed, see audit log for selinux denials
Comment 3 Marek Marczykowski 2025-08-01 13:49:20 UTC 
Created attachment 2102313 [details]
Reproducer
Comment 4 Than Ngo 2025-11-04 13:37:25 UTC 
Could you please try new chromium-142.0.7444.59 ? It's submitted as update in https://bodhi.fedoraproject.org/updates/FEDORA-2025-7c0b3fa81f

  sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-7c0b3fa81f

Thank you!
Comment 5 Than Ngo 2025-12-10 11:23:49 UTC 
CLosing it as i cannot reproduce it here.
Comment 6 Red Hat Bugzilla 2026-04-10 04:25:04 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days or the product is inactive and locked
Note You need to log in before you can comment on or make changes to this bug.