Running post-transaction scriptlet: selinux-policy-targeted-0:41.29-1.fc41.noarch
Non-critical error in post-transaction scriptlet: selinux-policy-targeted-0:41.29-1.fc41.noarch
Scriptlet output:
/usr/sbin/restorecon: Could not set context for /usr/bin/conmon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/podman: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/passt: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/passt.avx2: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/pasta: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/pasta.avx2: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/crun: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/buildah: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/swtpm: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/nbdkit: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument
[RPM] %posttrans(selinux-policy-targeted-41.29-1.fc41.noarch) scriptlet failed, exit status 255
Running trigger-install scriptlet: systemd-0:256.11-1.fc41.x86_64
Finished trigger-install scriptlet: systemd-0:256.11-1.fc41.x86_64
Scriptlet output:
Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/inactive.issue: Inval
Unable to fix SELinux security context of /run/cockpit/inactive.issue: Invalid argument
Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/active.issue: Invalid
Unable to fix SELinux security context of /run/cockpit/active.issue: Invalid argument
Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/issue: Invalid argume
Unable to fix SELinux security context of /run/cockpit/issue: Invalid argument
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Running post-transaction scriptlet: selinux-policy-targeted-0:41.29-1.fc41.noarch
Non-critical error in post-transaction scriptlet: selinux-policy-targeted-0:41.29-1.fc41.noarch
Scriptlet output:
/usr/sbin/restorecon: Could not set context for /usr/bin/podman: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/passt.avx2: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/swtpm: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/conmon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/pasta: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/passt: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/crun: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/pasta.avx2: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/timemaster: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/phc2sys: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/nbdkit: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/ptp4l: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-dbus: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-dbus: Invalid argument
[RPM] %posttrans(selinux-policy-targeted-41.29-1.fc41.noarch) scriptlet failed, exit status 255
internal error: process exited while connecting to monitor: 2025-01-18T04:40:53.357895Z qemu-system-x86_64: -blockdev {\"driver\":\"nbd\",\"server\":{\"type\":\"unix\",\"path\":\"/var/lib/libvirt/qemu/domain-1-subVmTestCreate1/nbdkit-libvirt-1-storage.socket\"},\"node-name\":\"libvirt-1-storage\",\"read-only\":true}: Failed to connect to '/var/lib/libvirt/qemu/domain-1-subVmTestCreate1/nbdkit-libvirt-1-storage.socket': Permission denied
Domain installation does not appear to have been successful.
I didn't investigate this very deeply yet -- it's Saturday early morning, and next week our team is on a sprint and not able to react timely to such issues. But we need to stop the regression from landing in stable updates.
Some problems visible from dmesg -- and then the change when reverting from 41.29-1.fc4 to 41.28-1.fc41:
[ 8.620851] SELinux: Context system_u:object_r:usbguard_unit_file_t:s0 is not valid (left unmapped).
[ 8.622586] SELinux: Context system_u:object_r:phc2sys_unit_file_t:s0 is not valid (left unmapped).
[ 8.622985] SELinux: Context system_u:object_r:ptp4l_unit_file_t:s0 is not valid (left unmapped).
[ 8.626000] SELinux: Context system_u:object_r:timemaster_unit_file_t:s0 is not valid (left unmapped).
[ 10.777323] SELinux: Context system_u:object_r:container_var_lib_t:s0 is not valid (left unmapped).
[ 38.280020] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 is not valid (left unmapped).
[ 38.513976] SELinux: Context system_u:object_r:conmon_exec_t:s0 is not valid (left unmapped).
[ 91.275338] SELinux: Context system_u:object_r:usbguard_conf_t:s0 is not valid (left unmapped).
[22835.686833] SELinux: Context system_u:object_r:usbguard_rules_t:s0 is not valid (left unmapped).
[22838.732929] SELinux: Context system_u:object_r:usbguard_log_t:s0 is not valid (left unmapped).
[downgrade to 41.28-1.fc41 ... ]
[53203.849275] SELinux: Converting 778 SID table entries...
[53203.849345] SELinux: Context system_u:object_r:usbguard_unit_file_t:s0 became valid (mapped).
[53203.849353] SELinux: Context system_u:object_r:phc2sys_unit_file_t:s0 became valid (mapped).
[53203.849356] SELinux: Context system_u:object_r:ptp4l_unit_file_t:s0 became valid (mapped).
[53203.849364] SELinux: Context system_u:object_r:timemaster_unit_file_t:s0 became valid (mapped).
[53203.849598] SELinux: Context system_u:object_r:container_var_lib_t:s0 became valid (mapped).
[53203.850387] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 became valid (mapped).
[53203.850388] SELinux: Context system_u:object_r:conmon_exec_t:s0 became valid (mapped).
[53203.850422] SELinux: Context system_u:object_r:usbguard_conf_t:s0 became valid (mapped).
[53203.850509] SELinux: Context system_u:object_r:usbguard_rules_t:s0 became valid (mapped).
[53203.850520] SELinux: Context system_u:object_r:usbguard_log_t:s0 became valid (mapped).
In https://github.com/cockpit-project/cockpit-machines/issues/1989 cockpit-machines nightly test ran against a VM which already had the new pcp-selinux installed, so it's not unpack order after all. It of course still could be related to some interference with pcp-6.3.2-3.fc41
I didn't run into issue like the ones reported, neither when the package was built, nor now.
The symptoms are that custom SELinux modules distributed with packages like pcp-selinux were disabled.
We have a test which installs all such modules, and again no such issue appears.
There does not seem to be any related change in the latest selinux-policy-build.
So I really wonder what makes the difference.
The problems I reported are consistently reproducible -- installation errors with selinux-policy-targeted:
Running post-transaction scriptlet: selinux-policy-targeted-0:41.29-1.fc41.noarch
Non-critical error in post-transaction scriptlet: selinux-policy-targeted-0:41.29-1.fc41.noarch
Scriptlet output:
/usr/sbin/restorecon: Could not set context for /usr/bin/podman: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/passt.avx2: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/swtpm: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/conmon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/pasta: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/passt: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/crun: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/pasta.avx2: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/timemaster: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/phc2sys: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/nbdkit: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/ptp4l: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-dbus: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-dbus: Invalid argument
[RPM] %posttrans(selinux-policy-targeted-41.29-1.fc41.noarch) scriptlet failed, exit status 255
possibly problematic changes affecting other installed software:
[246478.555098] SELinux: Converting 907 SID table entries...
[246478.555170] SELinux: Context system_u:object_r:usbguard_unit_file_t:s0 became invalid (unmapped).
[246478.555178] SELinux: Context system_u:object_r:phc2sys_unit_file_t:s0 became invalid (unmapped).
[246478.555181] SELinux: Context system_u:object_r:ptp4l_unit_file_t:s0 became invalid (unmapped).
[246478.555189] SELinux: Context system_u:object_r:timemaster_unit_file_t:s0 became invalid (unmapped).
[246478.555410] SELinux: Context system_u:object_r:container_var_lib_t:s0 became invalid (unmapped).
[246478.556147] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 became invalid (unmapped).
[246478.556148] SELinux: Context system_u:object_r:conmon_exec_t:s0 became invalid (unmapped).
[246478.556181] SELinux: Context system_u:object_r:usbguard_conf_t:s0 became invalid (unmapped).
[246478.556250] SELinux: Context system_u:object_r:usbguard_rules_t:s0 became invalid (unmapped).
[246478.556260] SELinux: Context system_u:object_r:usbguard_log_t:s0 became invalid (unmapped).
[246478.556336] SELinux: Context system_u:object_r:usbguard_exec_t:s0 became invalid (unmapped).
[246478.556348] SELinux: Context unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 became invalid (unmapped).
[246478.556353] SELinux: Context system_u:object_r:passt_exec_t:s0 became invalid (unmapped).
[246478.556355] SELinux: Context system_u:object_r:swtpm_exec_t:s0 became invalid (unmapped).
[246478.556358] SELinux: Context system_u:object_r:pasta_exec_t:s0 became invalid (unmapped).
[246478.556365] SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 became invalid (unmapped).
[246478.556369] SELinux: Context system_u:object_r:smartdwarn_script_t:s0 became invalid (unmapped).
and interference with the installation of other packages that would otherwise succeed with selinux-policy*41.28-1.fc41:
Total size of inbound packages is 15 MiB. Need to download 15 MiB.
After this operation, 496 KiB will be freed (install 48 MiB, remove 49 MiB).
Is this ok [y/N]: y
[1/1] podman-5:5.3.1-3.fc41.x86_64 100% | 16.9 MiB/s | 14.9 MiB | 00m01s
I made some more investigations, and reported https://bugzilla.redhat.com/show_bug.cgi?id=2342260. This really is specific to updating selinux-policy together with some other foo-selinux in the same dnf run. Updating separately works. The observable difference other than the "policy rejections" is that "semodule -l" has an additional "extra_binsbin" policy in the broken case.
This update has been submitted for testing by zpytela.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'waiting'.
This update's test gating status has been changed to 'passed'.
This update has been pushed to testing.
Works.
Looks good so far.
This update can be pushed to stable now if the maintainer wishes
Bodhi is disabling automatic push to stable due to negative karma. The maintainer may push manually if they determine that the issue is not severe.
Works great! LGTM! =)
Likewise, installation errors:
and perhaps related problems with other packages:
[3/6] Upgrading podman-5:5.3.1-3.fc41.x86_64 ...
Cockpit's nightly CI run against updates-testing found a regression, see https://github.com/cockpit-project/cockpit-machines/issues/1983 for details. virt-instalal fails with
internal error: process exited while connecting to monitor: 2025-01-18T04:40:53.357895Z qemu-system-x86_64: -blockdev {\"driver\":\"nbd\",\"server\":{\"type\":\"unix\",\"path\":\"/var/lib/libvirt/qemu/domain-1-subVmTestCreate1/nbdkit-libvirt-1-storage.socket\"},\"node-name\":\"libvirt-1-storage\",\"read-only\":true}: Failed to connect to '/var/lib/libvirt/qemu/domain-1-subVmTestCreate1/nbdkit-libvirt-1-storage.socket': Permission denied Domain installation does not appear to have been successful.
The journal shows the corresponding failure:
type=AVC msg=audit(1737175253.355:637): avc: denied { connectto } for pid=4246 comm="nbd-connect" path="/var/lib/libvirt/qemu/domain-1-subVmTestCreate1/nbdkit-libvirt-1-storage.socket" scontext=system_u:system_r:svirt_tcg_t:s0:c172,c897 tcontext=system_u:system_r:nbdkit_t:s0:c172,c897 tclass=unix_stream_socket permissive=0
(test works after setenforce 1)
I didn't investigate this very deeply yet -- it's Saturday early morning, and next week our team is on a sprint and not able to react timely to such issues. But we need to stop the regression from landing in stable updates.
There is something a lot more subtle going on, I updated notes in https://github.com/cockpit-project/cockpit-machines/issues/1983
This feels very sensitive to upgrade/unpack order.
Some problems visible from dmesg -- and then the change when reverting from 41.29-1.fc4 to 41.28-1.fc41:
[ 8.620851] SELinux: Context system_u:object_r:usbguard_unit_file_t:s0 is not valid (left unmapped). [ 8.622586] SELinux: Context system_u:object_r:phc2sys_unit_file_t:s0 is not valid (left unmapped). [ 8.622985] SELinux: Context system_u:object_r:ptp4l_unit_file_t:s0 is not valid (left unmapped). [ 8.626000] SELinux: Context system_u:object_r:timemaster_unit_file_t:s0 is not valid (left unmapped). [ 10.777323] SELinux: Context system_u:object_r:container_var_lib_t:s0 is not valid (left unmapped). [ 38.280020] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 is not valid (left unmapped). [ 38.513976] SELinux: Context system_u:object_r:conmon_exec_t:s0 is not valid (left unmapped). [ 91.275338] SELinux: Context system_u:object_r:usbguard_conf_t:s0 is not valid (left unmapped). [22835.686833] SELinux: Context system_u:object_r:usbguard_rules_t:s0 is not valid (left unmapped). [22838.732929] SELinux: Context system_u:object_r:usbguard_log_t:s0 is not valid (left unmapped).
[downgrade to 41.28-1.fc41 ... ]
[53203.849275] SELinux: Converting 778 SID table entries... [53203.849345] SELinux: Context system_u:object_r:usbguard_unit_file_t:s0 became valid (mapped). [53203.849353] SELinux: Context system_u:object_r:phc2sys_unit_file_t:s0 became valid (mapped). [53203.849356] SELinux: Context system_u:object_r:ptp4l_unit_file_t:s0 became valid (mapped). [53203.849364] SELinux: Context system_u:object_r:timemaster_unit_file_t:s0 became valid (mapped). [53203.849598] SELinux: Context system_u:object_r:container_var_lib_t:s0 became valid (mapped). [53203.850387] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 became valid (mapped). [53203.850388] SELinux: Context system_u:object_r:conmon_exec_t:s0 became valid (mapped). [53203.850422] SELinux: Context system_u:object_r:usbguard_conf_t:s0 became valid (mapped). [53203.850509] SELinux: Context system_u:object_r:usbguard_rules_t:s0 became valid (mapped). [53203.850520] SELinux: Context system_u:object_r:usbguard_log_t:s0 became valid (mapped).
no regressions noted
In https://github.com/cockpit-project/cockpit-machines/issues/1989 cockpit-machines nightly test ran against a VM which already had the new pcp-selinux installed, so it's not unpack order after all. It of course still could be related to some interference with pcp-6.3.2-3.fc41
I didn't run into issue like the ones reported, neither when the package was built, nor now. The symptoms are that custom SELinux modules distributed with packages like pcp-selinux were disabled. We have a test which installs all such modules, and again no such issue appears. There does not seem to be any related change in the latest selinux-policy-build. So I really wonder what makes the difference.
The problems I reported are consistently reproducible -- installation errors with selinux-policy-targeted:
possibly problematic changes affecting other installed software:
[246478.555098] SELinux: Converting 907 SID table entries... [246478.555170] SELinux: Context system_u:object_r:usbguard_unit_file_t:s0 became invalid (unmapped). [246478.555178] SELinux: Context system_u:object_r:phc2sys_unit_file_t:s0 became invalid (unmapped). [246478.555181] SELinux: Context system_u:object_r:ptp4l_unit_file_t:s0 became invalid (unmapped). [246478.555189] SELinux: Context system_u:object_r:timemaster_unit_file_t:s0 became invalid (unmapped). [246478.555410] SELinux: Context system_u:object_r:container_var_lib_t:s0 became invalid (unmapped). [246478.556147] SELinux: Context system_u:object_r:container_runtime_exec_t:s0 became invalid (unmapped). [246478.556148] SELinux: Context system_u:object_r:conmon_exec_t:s0 became invalid (unmapped). [246478.556181] SELinux: Context system_u:object_r:usbguard_conf_t:s0 became invalid (unmapped). [246478.556250] SELinux: Context system_u:object_r:usbguard_rules_t:s0 became invalid (unmapped). [246478.556260] SELinux: Context system_u:object_r:usbguard_log_t:s0 became invalid (unmapped). [246478.556336] SELinux: Context system_u:object_r:usbguard_exec_t:s0 became invalid (unmapped). [246478.556348] SELinux: Context unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 became invalid (unmapped). [246478.556353] SELinux: Context system_u:object_r:passt_exec_t:s0 became invalid (unmapped). [246478.556355] SELinux: Context system_u:object_r:swtpm_exec_t:s0 became invalid (unmapped). [246478.556358] SELinux: Context system_u:object_r:pasta_exec_t:s0 became invalid (unmapped). [246478.556365] SELinux: Context system_u:object_r:flatpak_helper_exec_t:s0 became invalid (unmapped). [246478.556369] SELinux: Context system_u:object_r:smartdwarn_script_t:s0 became invalid (unmapped).
and interference with the installation of other packages that would otherwise succeed with selinux-policy*41.28-1.fc41:
$sudo dnf upgrade --best podman Updating and loading repositories: Repositories loaded. Package Arch Version Repository Size Upgrading: podman x86_64 5:5.3.1-3.fc41 updates-testing 48.1 MiB replacing podman x86_64 5:5.3.1-1.fc41 updates 48.6 MiB
Transaction Summary: Upgrading: 1 package Replacing: 1 package
Total size of inbound packages is 15 MiB. Need to download 15 MiB. After this operation, 496 KiB will be freed (install 48 MiB, remove 49 MiB). Is this ok [y/N]: y [1/1] podman-5:5.3.1-3.fc41.x86_64 100% | 16.9 MiB/s | 14.9 MiB | 00m01s
[1/1] Total 100% | 14.5 MiB/s | 14.9 MiB | 00m01s Running transaction [1/4] Verify package files 100% | 11.0 B/s | 1.0 B | 00m00s [2/4] Prepare transaction 100% | 3.0 B/s | 2.0 B | 00m01s [3/4] Upgrading podman-5:5.3.1-3.fc41.x86_64 100% | 258.8 MiB/s | 48.1 MiB | 00m00s
I made some more investigations, and reported https://bugzilla.redhat.com/show_bug.cgi?id=2342260. This really is specific to updating selinux-policy together with some other foo-selinux in the same dnf run. Updating separately works. The observable difference other than the "policy rejections" is that "semodule -l" has an additional "extra_binsbin" policy in the broken case.
no issues
This update has been obsoleted by selinux-policy-41.30-1.fc41.