error: %prein(selinux-policy-targeted-3.13.1-157.fc23.noarch) scriptlet
failed, exit status 126
Error in PREIN scriptlet in rpm package selinux-policy-targeted
How can I diagnose this? Where can I dig out the exact reason why the
scriptlets are failing?
Once you know a specific package that fails like that, you could query its
scriptlets section and try to reproduce manually:
rpm -q --scripts selinux-policy-targeted
At the top find the %prein section. It doesn't do much, but it may run some
external commands.
Thanks a lot for the hint. So I tried looking at the very first package that
had any failure at all (albeit nonfatal), during the initial filesystem
installation. That was glibc. :-( It was a POSTIN failure.
"rpm -q --scripts glibc" tells me that "postinstall program" is set to
/usr/sbin/glibc_post_upgrade.x86_64. This binary is both in the installation environment and in the
sysimage (even twice, perhaps hardlinked, in /sbin and /usr/sbin).
When I chroot into the sysimage, I can run the glibc_post_upgrade.x86_64 binary
just fine and its exit code is 0. Yet upon glibc (re)installation, I'm getting
that non-fatal error message saying that its exit code was 126.
So the question is why glibc_post_upgrade.x86_64 can't be run by/from rpm. Does rpm try
to execute the postinstall oneliner using a shell that could be missing? Executing simply
"sh" in the sysimage chroot works fine though...
Could someone please point me to the sources of rpm/dnf/whatever where the
"postinstall program" command gets executed? It seems that I can't reproduce
the failure manually. And it's probably not worth looking into all the subsequent
failures until I know more about the very first one.
OK, I think solved this. It was partially a human error and partially a tiny
glitch in the blogpost linked from my original post. But I'll post the answer
nonetheless, hoping that it could once help someone.
Short answer: First, you must "mount -o bind /sys/fs/selinux
/mnt/sysimage/sys/fs/selinux". Second, also mount /mnt/sysimage/proc *before*
attempting to install 'filesystem'. That's it. That's all.
How I found out where the problem was:
1) I installed 'strace' into the installation environment (pretty
straightforward). Not sure if you need network access for that, but I did have
it, so I think I got it from updates or the like.
2) I took the very first package with non-fatal errors, 'glibc', and reinstalled it
under strace: "strace -f dnf install -y --releasever=23 --installroot=/mnt/sysimage
glibc 2>/tmp/strace"
3) In /tmp/strace, I grep'd for whatever could be related to a child
exiting with code 126. And indeed, I found 2 messages saying that a process
exited with code 126 (corresponding to 2 benign errors).
4) In the strace messages of the failing child process, there were ~3
unsuccessful file accesses. Two were unsuccessful /proc accesses and the third
one failed to open /sys/fs/selinux/enforce.
5) And bingo! Indeed, /sys/fs/selinux/enforce (or anything else in
/sys/fs/selinux) was simply not there, because "mount -o bind /sys ..." doesn't
apply to mountpoints nested deeper in the directory.
So I wiped out the new root, recreated my complex structure of subvolumes,
creating and mounting /sys, /sys/fs/selinux and /proc manually *before* the
initial 'filesystem' package installation. Otherwise things seemed to start
breaking from that point on.
The 'filesystem' package errors were non-fatal and therefore it could well be
the case that the missing /sys/fs/selinux mount was the only culprit that
caused my first installation attempt to fail. But to be on the safe side, next
time I'll set up /proc, /sys, and /sys/fs/selinux manually.
OK, this is it. Bypassing Anaconda and doing a custom partition layout is
perfectly feasible. :-) It just doesn't have a sufficient coverage in the
documentation.
Cheers,
Andrej
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
