Description of problem:
After doing an upgrade, policy was left in an invalid state. This included both modules and a user with a role in the invalid policy. As far as I can figure out, I couldn't delete the extra user and roles at the same time I could remove (or disable) modules. My attempts at rebuilding policy and trying to remove the user and role were all failing because the resulting policy was always going to continue to be left in an invalid state.
Eventually I went into /etc/selinux/targeted and manually messed with stuff to get into a valid state. And then reinstalled selinux-policy-targeted to get back into a normal state.
Version-Release number of selected component (if applicable):
I am not sure how to normally get into an invalid state in order to test this.
Steps to Reproduce:
Can you give me a reproducer?
I have seen this before, but I am not sure how to get it into this state. Of course the tools should prevent you from getting the state bad in the first place.
Not really. It happened when I upgraded from F9 to F11 to F12. There were issues going from F9 to F11, but I really didn't worry about the selinux stuff until updates for F12 were failing. I had some local modules installed and one of the users had a role defined in a local module.
Presumably I could have cleanly fixed things by switching policies, removing the targeted policy and then reinstalling targeted and switching back. This would probably trigger two relabels.
One thing that might work is going in an editing the active policy modules by hand. If one of the modules has a role dependency on it, I think you end up in the situation I was in.
Ok, We had some problems upgrading between versions. Which hopefully are fixed now. We did some experiments which failed badly. :^(
I think we are learning from our mistakes. But upgrading between versions is always difficult.
I will close this as fixed in Rawhide. Since I think we have most of these upgrade issues fixed.