error: %prein(selinux-policy-targeted-3.13.1-157.fc23.noarch) scriptlet failed, exit status 126
Error in PREIN scriptlet in rpm package selinux-policy-targeted
How can I diagnose this? Where can I dig out the exact reason why the scriptlets are failing?
Once you know a specific package that fails like that, you could query its
scriptlets section and try to reproduce manually:
rpm -q --scripts selinux-policy-targeted
At the top find the %prein section. It doesn't do much, but it may run some
external commands.
Thanks a lot for the hint. So I tried looking at the very first package that had any failure at all (albeit nonfatal), during the initial filesystem installation. That was glibc. :-( It was a POSTIN failure.
"rpm -q --scripts glibc" tells me that "postinstall program" is set to /usr/sbin/glibc_post_upgrade.x86_64. This binary is both in the installation environment and in the sysimage (even twice, perhaps hardlinked, in /sbin and /usr/sbin).
When I chroot into the sysimage, I can run the glibc_post_upgrade.x86_64 binary just fine and its exit code is 0. Yet upon glibc (re)installation, I'm getting that non-fatal error message saying that its exit code was 126.
So the question is why glibc_post_upgrade.x86_64 can't be run by/from rpm. Does rpm try to execute the postinstall oneliner using a shell that could be missing? Executing simply "sh" in the sysimage chroot works fine though...
Could someone please point me to the sources of rpm/dnf/whatever where the "postinstall program" command gets executed? It seems that I can't reproduce the failure manually. And it's probably not worth looking into all the subsequent failures until I know more about the very first one.
OK, I think solved this. It was partially a human error and partially a tiny glitch in the blogpost linked from my original post. But I'll post the answer nonetheless, hoping that it could once help someone.
Short answer: First, you must "mount -o bind /sys/fs/selinux /mnt/sysimage/sys/fs/selinux". Second, also mount /mnt/sysimage/proc *before* attempting to install 'filesystem'. That's it. That's all.
How I found out where the problem was:
1) I installed 'strace' into the installation environment (pretty straightforward). Not sure if you need network access for that, but I did have it, so I think I got it from updates or the like.
2) I took the very first package with non-fatal errors, 'glibc', and reinstalled it under strace: "strace -f dnf install -y --releasever=23 --installroot=/mnt/sysimage glibc 2>/tmp/strace"
3) In /tmp/strace, I grep'd for whatever could be related to a child exiting with code 126. And indeed, I found 2 messages saying that a process exited with code 126 (corresponding to 2 benign errors).
4) In the strace messages of the failing child process, there were ~3 unsuccessful file accesses. Two were unsuccessful /proc accesses and the third one failed to open /sys/fs/selinux/enforce.
5) And bingo! Indeed, /sys/fs/selinux/enforce (or anything else in /sys/fs/selinux) was simply not there, because "mount -o bind /sys ..." doesn't apply to mountpoints nested deeper in the directory.
So I wiped out the new root, recreated my complex structure of subvolumes, creating and mounting /sys, /sys/fs/selinux and /proc manually *before* the initial 'filesystem' package installation. Otherwise things seemed to start breaking from that point on.
The 'filesystem' package errors were non-fatal and therefore it could well be the case that the missing /sys/fs/selinux mount was the only culprit that caused my first installation attempt to fail. But to be on the safe side, next time I'll set up /proc, /sys, and /sys/fs/selinux manually.
OK, this is it. Bypassing Anaconda and doing a custom partition layout is perfectly feasible. :-) It just doesn't have a sufficient coverage in the documentation.
Cheers,
Andrej
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
