Re: Noticed Failed message with selinux-policy-targeted on 3 of 5 machines??

Zdenek Pytela Thu, 21 Sep 2023 07:23:41 -0700

On Thu, Sep 21, 2023 at 12:28 AM Michael D. Setzer II <mi...@guam.net>
wrote:


> On 20 Sep 2023 at 19:57, Zdenek Pytela wrote:
>
> From:   Zdenek Pytela <zpyt...@redhat.com>
> Date sent:      Wed, 20 Sep 2023 19:57:31 +0200
> Subject:        Re: Noticed Failed message with selinux-policy-targeted on
> 3 of 5 machines??
> To:     mi...@guam.net,
>         Community support for Fedora users <users@lists.fedoraproject.org>
> Send reply to:  Community support for Fedora users <
> users@lists.fedoraproject.org>
>
> >
> >
> >
> > On Wed, Sep 20, 2023 at 8:25 AM Michael D. Setzer II via users
> > <users@lists.fedoraproject.org> wrote:
> > In running dnf update on 5 machines noticed a fail message on 3 or 5?
> > To double check ran dnf reinstall selinux* and get this on failing
> > systems?
> >
> > Running transaction check
> > Transaction check succeeded.
> > Running transaction test
> > Transaction test succeeded.
> > Running transaction
> >   Running scriptlet:
> > selinux-policy-minimum-38.28-1.fc38.noarch   1/1
> >   Running scriptlet:
> > selinux-policy-targeted-38.28-1.fc38.noarch   1/1
> >   Preparing :   1/1
> >   Reinstalling   : selinux-policy-38.28-1.fc38.noarch 1/8
> >   Running scriptlet : selinux-policy-38.28-1.fc38.noarch 1/8
> >   Running scriptlet :
> > selinux-policy-minimum-38.28-1.fc38.noarch   2/8
> >   Reinstalling   :
> > selinux-policy-minimum-38.28-1.fc38.noarch   2/8
> >   Running scriptlet :
> > selinux-policy-minimum-38.28-1.fc38.noarch   2/8
> >   Running scriptlet :
> > selinux-policy-targeted-38.28-1.fc38.noarch   3/8
> >   Reinstalling   : selinux-policy-targeted-38.28-1.fc38.noarch   3/8
> >   Running scriptlet :
> > selinux-policy-targeted-38.28-1.fc38.noarch   3/8
> > Failed to resolve allow statement at
> > /var/lib/selinux/targeted/tmp/modules/200/container/cil:1186
> > Failed to resolve AST
> > /usr/sbin/semodule:  Failed!
> >
> >   Reinstalling   : selinux-policy-devel-38.28-1.fc38.noarch   4/8
> >   Running scriptlet : selinux-policy-devel-38.28-1.fc38.noarch   4/8
> >   Cleanup     : selinux-policy-devel-38.28-1.fc38.noarch   5/8
> >   Running scriptlet : selinux-policy-38.28-1.fc38.noarch   6/8
> >   Cleanup     : selinux-policy-38.28-1.fc38.noarch   6/8
> >   Running scriptlet : selinux-policy-38.28-1.fc38.noarch   6/8
> >   Cleanup     : selinux-policy-minimum-38.28-1.fc38.noarch   7/8
> >   Running scriptlet :
> > selinux-policy-minimum-38.28-1.fc38.noarch   7/8
> >   Cleanup     : selinux-policy-targeted-38.28-1.fc38.noarch   8/8
> >   Running scriptlet :
> > selinux-policy-targeted-38.28-1.fc38.noarch   8/8
> >   Running scriptlet :
> > selinux-policy-minimum-38.28-1.fc38.noarch   8/8
> >   Running scriptlet :
> > selinux-policy-targeted-38.28-1.fc38.noarch   8/8
> >   Verifying    : selinux-policy-38.28-1.fc38.noarch   1/8
> >   Verifying    : selinux-policy-38.28-1.fc38.noarch   2/8
> >   Verifying    : selinux-policy-devel-38.28-1.fc38.noarch   3/8
> >   Verifying    : selinux-policy-devel-38.28-1.fc38.noarch   4/8
> >   Verifying    : selinux-policy-minimum-38.28-1.fc38.noarch   5/8
> >   Verifying    : selinux-policy-minimum-38.28-1.fc38.noarch   6/8
> >   Verifying    : selinux-policy-targeted-38.28-1.fc38.noarch   7/8
> >   Verifying    : selinux-policy-targeted-38.28-1.fc38.noarch   8/8
> >
> > Reinstalled:
> > selinux-policy-38.28-1.fc38.noarch
> > selinux-policy-devel-38.28-1.fc38.noarch
> > selinux-policy-minimum-38.28-1.fc38.noarch
> > selinux-policy-targeted-38.28-1.fc38.noarch
> >
> > Complete!
> >
> > Other day get a message about about regex version not matching, and
> > was told to
> > reintall container-selinux. That doesn't seem to fix issue.
> > Did find changing to minimum option gets rid of the regex message?
> > But why 2 of the machines seem to have no problem, but other 3 get
> > same message?
> > Michael,
> >
> > The update restults may depend on other components or if some
> > customizations are in place. What version is container-selinux?
> >
> > rpm -qa "selinux-policy*" "*-selinux"
> >
>
> rpm -qa | grep selinux-policy
> selinux-policy-38.28-1.fc38.noarch
> selinux-policy-minimum-38.28-1.fc38.noarch
> selinux-policy-devel-38.28-1.fc38.noarch
> selinux-policy-doc-38.28-1.fc38.noarch
> selinux-policy-targeted-38.28-1.fc38.noarch
>
I wanted to see other packages, too. Maybe also

semodule -lfull | grep -v ^100


>
> Noticed one machine that gets failed didn't have selinux-policy-doc
> installed and installed it, then tried reinstalling all the
> selinux-policy and still got error?
> Failed to resolve allow statement at
> /var/lib/selinux/targeted/tmp/modules/200/container/cil:1186
> Failed to resolve AST
> /usr/sbin/semodule:  Failed!
> Files in that directory are
> -rw-------. 1 root root     2 Sep 21 08:09 lang_ext
> -rw-------. 1 root root 24411 Sep 21 08:09 hll
> -rw-------. 1 root root 13487 Sep 21 08:09 cil
>
> The cil file is a binary file, so not sure what :1186 means?
> that tmp directory doesn't exist on my notebook that doesn't have
> error?
>
It's a temporary directory used for the policy rebuild. Try this:

f39# file /var/lib/selinux/targeted/active/modules/200/container/cil
/var/lib/selinux/targeted/active/modules/200/container/cil: bzip2
compressed data, block size = 500k
f39# file -z /var/lib/selinux/targeted/active/modules/200/container/cil
/var/lib/selinux/targeted/active/modules/200/container/cil: ASCII text,
with very long lines (446) (bzip2 compressed data, block size = 500k)
f39# bunzip2 </var/lib/selinux/targeted/active/modules/200/container/cil |
sed -n '1180,1187p'

What's in the output?

set selinux to minimal on machines.
>
Don't understand this.


>
> > I cannot reproduce your problem using any updating path with the latest
> > package versions.
> >
> > _______________________________________________
> > users mailing list -- users@lists.fedoraproject.org
> > To unsubscribe send an email to users-le...@lists.fedoraproject.org
> > Fedora Code of Conduct:
> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
> https://lists.fedoraproject.org/archives/list/us...@lists.fedoraproject.or
> > g
> > Do not reply to spam, report it:
> > https://pagure.io/fedora-infrastructure/new_issue
> >
> >
> > --
> >
> > Zdenek Pytela
> > Security SELinux team
>
>
> +------------------------------------------------------------+
>  Michael D. Setzer II - Computer Science Instructor (Retired)
>  mailto:mi...@guam.net
>  mailto:msetze...@gmail.com
>  Guam - Where America's Day Begins
>  G4L Disk Imaging Project maintainer
>  http://sourceforge.net/projects/g4l/
> +------------------------------------------------------------+
>
>
>
>

-- 

Zdenek Pytela
Security SELinux team

_______________________________________________
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Re: Noticed Failed message with selinux-policy-targeted on 3 of 5 machines??

Reply via email to