Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1531858 - On fully upgraded F27, can't install container-selinux
Summary: On fully upgraded F27, can't install container-selinux
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: container-selinux
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Lokesh Mandvekar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-06 08:21 UTC by Robin Powell
Modified: 2018-01-23 21:46 UTC (History)
6 users (show)

Fixed In Version: container-selinux-2.40-1.fc26 container-selinux-2.42-1.fc27
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-01-23 21:17:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Robin Powell 2018-01-06 08:21:15 UTC 
Starting state:

rlpowell@vrici> sudo dnf list installed '*selinux*'
Installed Packages
container-selinux.noarch                                                                                    2:2.37-1.fc27                                                                                    @updates
libselinux.x86_64                                                                                           2.7-3.fc27                                                                                       @updates
libselinux-devel.x86_64                                                                                     2.7-3.fc27                                                                                       @updates
libselinux-python.x86_64                                                                                    2.7-3.fc27                                                                                       @updates
libselinux-python3.x86_64                                                                                   2.7-3.fc27                                                                                       @updates
libselinux-ruby.x86_64                                                                                      2.7-3.fc27                                                                                       @updates
libselinux-utils.x86_64                                                                                     2.7-3.fc27                                                                                       @updates
rpm-plugin-selinux.x86_64                                                                                   4.14.0-2.fc27                                                                                    @fedora
selinux-policy.noarch                                                                                       3.13.1-283.19.fc27                                                                               @updates
selinux-policy-devel.noarch                                                                                 3.13.1-283.19.fc27                                                                               @updates
selinux-policy-doc.noarch                                                                                   3.13.1-283.19.fc27                                                                               @updates
selinux-policy-targeted.noarch                                                                              3.13.1-283.19.fc27                                                                               @updates

This host has unconfined disabled.  And:

rlpowell@vrici> sudo dnf reinstall container-selinux.noarch
Last metadata expiration check: 1:39:47 ago on Fri 05 Jan 2018 10:33:43 PM PST.
Dependencies resolved.
=====================================================================================================================================================================================================================
 Package                                                  Arch                                          Version                                                 Repository                                      Size
=====================================================================================================================================================================================================================
Reinstalling:
 container-selinux                                        noarch                                        2:2.37-1.fc27                                           updates                                         36 k

Transaction Summary
=====================================================================================================================================================================================================================

Total download size: 36 k
Is this ok [y/N]: y
Downloading Packages:
container-selinux-2.37-1.fc27.noarch.rpm                                                                                                                                              66 kB/s |  36 kB     00:00
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                                 32 kB/s |  36 kB     00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                             1/1
  Reinstalling     : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      1/2
  Running scriptlet: container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      1/2
Child type container_t exceeds bounds of parent container_runtime_t
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t container_file_t (chr_file (map execute)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1284
      (allow container_t container_file_t (chr_file (ioctl read getattr map execute open)))
  (allow container_t console_device_t (chr_file (read)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1191
      (allow container_domain console_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t tty_device_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1190
      (allow container_domain tty_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t xen_devpts_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1187
      (allow container_domain ptynode (chr_file (ioctl read write getattr lock append)))
  (allow container_t svirt_tcg_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t svirt_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t uml_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t telnetd_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t sandbox_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t rssh_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t rlogind_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t rhgb_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t pppd_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t openfortivpn_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t nx_server_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t ipsec_mgmt_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t games_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
  (allow container_t ajaxterm_devpts_t (chr_file (ioctl read write lock append)))
    <See previous>
Failed to generate binary
/usr/sbin/semodule:  Failed!
  Erasing          : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      2/2
  Running scriptlet: container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      2/2
  Verifying        : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      1/2
  Verifying        : container-selinux-2:2.37-1.fc27.noarch                                                                                                                                                      2/2

Reinstalled:
  container-selinux.noarch 2:2.37-1.fc27

Complete!
Comment 1 Daniel Walsh 2018-01-06 12:34:55 UTC 
Fixed in  container-selinux-2.38-1.fc27
Comment 2 Robin Powell 2018-01-06 18:14:43 UTC 
Not for me.  Downloaded the noarch from https://koji.fedoraproject.org/koji/buildinfo?buildID=1013878 and:


rlpowell@vrici> sudo dnf reinstall ./container-selinux-2.38-1.fc27.noarch.rpm
Last metadata expiration check: 2:07:28 ago on Sat 06 Jan 2018 08:06:25 AM PST.
Dependencies resolved.
==============================================================================================================================================================================
 Package                                       Arch                               Version                                      Repository                                Size
==============================================================================================================================================================================
Reinstalling:
 container-selinux                             noarch                             2:2.38-1.fc27                                @commandline                              36 k

Transaction Summary
==============================================================================================================================================================================

Total size: 36 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                      1/1
  Reinstalling     : container-selinux-2:2.38-1.fc27.noarch                                                                                                               1/2
  Running scriptlet: container-selinux-2:2.38-1.fc27.noarch                                                                                                               1/2
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t console_device_t (chr_file (read)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1193
      (allow container_domain console_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t tty_device_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1192
      (allow container_domain tty_device_t (chr_file (ioctl read write getattr lock append)))
  (allow container_t xen_devpts_t (chr_file (ioctl read write lock append)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1189
      (allow container_domain ptynode (chr_file (ioctl read write getattr lock append)))
Comment 3 Robin Powell 2018-01-07 02:35:23 UTC 
(that last output is incomplete; I didn't figure it mattered)
Comment 4 Daniel Walsh 2018-01-08 13:43:49 UTC 
Nope, I will fix it in next release
Fixed in  container-selinux-2.39-1.fc27
Comment 5 Fedora Update System 2018-01-08 14:01:54 UTC 
container-selinux-2.39-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2
Comment 6 Fedora Update System 2018-01-08 14:02:16 UTC 
container-selinux-2.39-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9
Comment 7 Daniel Walsh 2018-01-08 14:13:46 UTC 
Robin, this time I tried it out on my F27 box with unconfined disabled and it installed ok.
Comment 8 Robin Powell 2018-01-08 17:09:50 UTC 
Confirmed, thanks!
Comment 9 Robin Powell 2018-01-08 17:31:49 UTC 
Hmm.  Let me know if you want me to open a new bug for this, but:

rlpowell@vrici> sudo semanage dontaudit off
Child type container_t exceeds bounds of parent container_runtime_t
  (allow container_t user_devpts_t (chr_file (open)))
    <root>
    allow at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1199
      (allow container_domain user_devpts_t (chr_file (ioctl read write getattr lock append open)))
Failed to generate binary
OSError: [Errno 0] Error
Comment 10 Fedora Update System 2018-01-08 17:42:42 UTC 
container-selinux-2.39-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1d288c81a2
Comment 11 Daniel Walsh 2018-01-08 18:09:54 UTC 
Robin, you got that after the update?
Comment 12 Fedora Update System 2018-01-08 20:30:24 UTC 
container-selinux-2.39-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e513053ca9
Comment 13 Robin Powell 2018-01-09 06:22:42 UTC 
Yes, that was after sudo dnf install ./container-selinux-2.39-1.fc27.noarch.rpm
Comment 14 Daniel Walsh 2018-01-09 14:32:22 UTC 
Weird that the first compile/install did not find it.  I did see a boolean that would allow this access 
daemons_use_tty --> off

Fixed in container-selinux-2.40-1
Comment 15 Fedora Update System 2018-01-09 16:55:07 UTC 
container-selinux-2.41-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3
Comment 16 Fedora Update System 2018-01-09 16:55:32 UTC 
container-selinux-2.40-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd
Comment 17 Robin Powell 2018-01-10 01:25:35 UTC 
Confirmed.  Thank you!
Comment 18 Fedora Update System 2018-01-10 15:53:58 UTC 
container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-827888cfdd
Comment 19 Fedora Update System 2018-01-10 16:14:00 UTC 
container-selinux-2.41-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8d78cc34a3
Comment 20 Fedora Update System 2018-01-16 19:09:15 UTC 
container-selinux-2.42-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1
Comment 21 Fedora Update System 2018-01-21 10:39:31 UTC 
container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-324df658f1
Comment 22 Fedora Update System 2018-01-23 21:17:33 UTC 
container-selinux-2.40-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2018-01-23 21:46:38 UTC 
container-selinux-2.42-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.