On 21 Sep 2023 at 16:23, Zdenek Pytela wrote: From: Zdenek Pytela <zpytela@xxxxxxxxxx> Date sent: Thu, 21 Sep 2023 16:23:01 +0200 Subject: Re: Noticed Failed message with selinux-policy-targeted on 3 of 5 machines?? To: mikes@xxxxxxxx Copies to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> Send reply to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> > From:    Zdenek Pytela <<a href="mailto:zpytela@xxxxxxxxxx"; target="_blank">zpytela@xxxxxxxxxx</a>><br> > Subject:         Re: Noticed Failed message with selinux-policy-targeted on 3 of 5 machines??<br> > To:      <a href="mailto:mikes@xxxxxxxx"; target="_blank">mikes@xxxxxxxx</a>,<br> > > > > On Thu, Sep 21, 2023 at 12:28 AM Michael D. Setzer II <mikes@xxxxxxxx> > wrote: > On 20 Sep 2023 at 19:57, Zdenek Pytela wrote: > > From: Zdenek Pytela <zpytela@xxxxxxxxxx> > Date sent: Wed, 20 Sep 2023 19:57:31 +0200 > Subject: Re: Noticed Failed message with selinux-policy-targeted > on 3 of 5 machines?? > To: mikes@xxxxxxxx, > Community support for Fedora users > <users@xxxxxxxxxxxxxxxxxxxxxxx> > Send reply to: Community support for Fedora users > <users@xxxxxxxxxxxxxxxxxxxxxxx> > > > > > > > > > On Wed, Sep 20, 2023 at 8:25 AM Michael D. Setzer II via users > > <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > In running dnf update on 5 machines noticed a fail message on 3 or > 5? > > To double check ran dnf reinstall selinux* and get this on failing > > systems? > > > > Running transaction check > > Transaction check succeeded. > > Running transaction test > > Transaction test succeeded. > > Running transaction > > Running scriptlet: > > selinux-policy-minimum-38.28-1.fc38.noarch 1/1 > > Running scriptlet: > > selinux-policy-targeted-38.28-1.fc38.noarch 1/1 > > Preparing : 1/1 > > Reinstalling : selinux-policy-38.28-1.fc38.noarch 1/8 > > Running scriptlet : selinux-policy-38.28-1.fc38.noarch 1/8 > > Running scriptlet : > > selinux-policy-minimum-38.28-1.fc38.noarch 2/8 > > Reinstalling : > > selinux-policy-minimum-38.28-1.fc38.noarch 2/8 > > Running scriptlet : > > selinux-policy-minimum-38.28-1.fc38.noarch 2/8 > > Running scriptlet : > > selinux-policy-targeted-38.28-1.fc38.noarch 3/8 > > Reinstalling : selinux-policy-targeted-38.28-1.fc38.noarch 3/8 > > Running scriptlet : > > selinux-policy-targeted-38.28-1.fc38.noarch 3/8 > > Failed to resolve allow statement at > > /var/lib/selinux/targeted/tmp/modules/200/container/cil:1186 > > Failed to resolve AST > > /usr/sbin/semodule: Failed! > > > > Reinstalling : selinux-policy-devel-38.28-1.fc38.noarch 4/8 > > Running scriptlet : selinux-policy-devel-38.28-1.fc38.noarch 4/8 > > Cleanup : selinux-policy-devel-38.28-1.fc38.noarch 5/8 > > Running scriptlet : selinux-policy-38.28-1.fc38.noarch 6/8 > > Cleanup : selinux-policy-38.28-1.fc38.noarch 6/8 > > Running scriptlet : selinux-policy-38.28-1.fc38.noarch 6/8 > > Cleanup : selinux-policy-minimum-38.28-1.fc38.noarch 7/8 > > Running scriptlet : > > selinux-policy-minimum-38.28-1.fc38.noarch 7/8 > > Cleanup : selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > Running scriptlet : > > selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > Running scriptlet : > > selinux-policy-minimum-38.28-1.fc38.noarch 8/8 > > Running scriptlet : > > selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > Verifying : selinux-policy-38.28-1.fc38.noarch 1/8 > > Verifying : selinux-policy-38.28-1.fc38.noarch 2/8 > > Verifying : selinux-policy-devel-38.28-1.fc38.noarch 3/8 > > Verifying : selinux-policy-devel-38.28-1.fc38.noarch 4/8 > > Verifying : selinux-policy-minimum-38.28-1.fc38.noarch 5/8 > > Verifying : selinux-policy-minimum-38.28-1.fc38.noarch 6/8 > > Verifying : selinux-policy-targeted-38.28-1.fc38.noarch 7/8 > > Verifying : selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > > > Reinstalled: > > selinux-policy-38.28-1.fc38.noarch > > selinux-policy-devel-38.28-1.fc38.noarch > > selinux-policy-minimum-38.28-1.fc38.noarch > > selinux-policy-targeted-38.28-1.fc38.noarch > > > > Complete! > > > > Other day get a message about about regex version not matching, > and > > was told to > > reintall container-selinux. That doesn't seem to fix issue. > > Did find changing to minimum option gets rid of the regex message? > > But why 2 of the machines seem to have no problem, but other 3 get > > same message? > > Michael, > > > > The update restults may depend on other components or if some > > customizations are in place. What version is container-selinux? > > > > rpm -qa "selinux-policy*" "*-selinux" > > > > rpm -qa | grep selinux-policy > selinux-policy-38.28-1.fc38.noarch > selinux-policy-minimum-38.28-1.fc38.noarch > selinux-policy-devel-38.28-1.fc38.noarch > selinux-policy-doc-38.28-1.fc38.noarch > selinux-policy-targeted-38.28-1.fc38.noarch > I wanted to see other packages, too. Maybe also > > semodule -lfull | grep -v ^100 > > > Noticed one machine that gets failed didn't have selinux-policy-doc > installed and installed it, then tried reinstalling all the > selinux-policy and still got error? > Failed to resolve allow statement at > /var/lib/selinux/targeted/tmp/modules/200/container/cil:1186 > Failed to resolve AST > /usr/sbin/semodule: Failed! > Files in that directory are > -rw-------. 1 root root 2 Sep 21 08:09 lang_ext > -rw-------. 1 root root 24411 Sep 21 08:09 hll > -rw-------. 1 root root 13487 Sep 21 08:09 cil > > The cil file is a binary file, so not sure what :1186 means? > that tmp directory doesn't exist on my notebook that doesn't have > error? > It's a temporary directory used for the policy rebuild. Try this: > > f39# file /var/lib/selinux/targeted/active/modules/200/container/cil > /var/lib/selinux/targeted/active/modules/200/container/cil: bzip2 compressed data, block size = > 500k > f39# file -z /var/lib/selinux/targeted/active/modules/200/container/cil > /var/lib/selinux/targeted/active/modules/200/container/cil: ASCII text, with very long lines (446) > (bzip2 compressed data, block size = 500k) > f39# bunzip2 </var/lib/selinux/targeted/active/modules/200/container/cil | sed -n '1180,1187p' > > What's in the output? (allow container_runtime_domain spc_t (netlink_crypto_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (sctp_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (icmp_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (ax25_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (ipx_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (netrom_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (bridge_socket (relabelfrom relabelto))) (allow container_runtime_domain spc_t (atmpvc_socket (relabelfrom relabelto))) > > set selinux to minimal on machines. > Don't understand this. /usr/bin/python3 -Es /usr/share/system-config-selinux/system-config-selinux.py Under Status set to Permissive, Permissive, Minimum since Targeted was showing failed message. > > > > I cannot reproduce your problem using any updating path with the > latest > > package versions. > > > > _______________________________________________ > > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > > To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > > https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxx > > g > > Do not reply to spam, report it: > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > -- > > > > Zdenek Pytela > > Security SELinux team > > > +------------------------------------------------------------+ > Michael D. Setzer II - Computer Science Instructor (Retired) > mailto:mikes@xxxxxxxx > mailto:msetzerii@xxxxxxxxx > Guam - Where America's Day Begins > G4L Disk Imaging Project maintainer > http://sourceforge.net/projects/g4l/ > +------------------------------------------------------------+ > > > > > > -- > > Zdenek Pytela > Security SELinux team +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@xxxxxxxx mailto:msetzerii@xxxxxxxxx Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
