On 21 Sep 2023 at 20:09, Zdenek Pytela wrote: From: Zdenek Pytela <zpytela@xxxxxxxxxx> Date sent: Thu, 21 Sep 2023 20:09:44 +0200 Subject: Re: Noticed Failed message with selinux-policy-targeted on 3 of 5 machines?? To: mikes@xxxxxxxx Copies to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> Send reply to: Community support for Fedora users <users@xxxxxxxxxxxxxxxxxxxxxxx> > From:    Zdenek Pytela <<a href="mailto:zpytela@xxxxxxxxxx"; target="_blank">zpytela@xxxxxxxxxx</a>><br> > Subject:         Re: Noticed Failed message with selinux-policy-targeted on 3 of 5 machines??<br> > To:      <a href="mailto:mikes@xxxxxxxx"; target="_blank">mikes@xxxxxxxx</a><br> > > > > On Thu, Sep 21, 2023 at 7:21 PM Michael D. Setzer II <mikes@xxxxxxxx> > wrote: > On 21 Sep 2023 at 16:23, Zdenek Pytela wrote: > > From: Zdenek Pytela <zpytela@xxxxxxxxxx> > Date sent: Thu, 21 Sep 2023 16:23:01 +0200 > Subject: Re: Noticed Failed message with selinux-policy-targeted > on 3 of 5 machines?? > To: mikes@xxxxxxxx > Copies to: Community support for Fedora users > <users@xxxxxxxxxxxxxxxxxxxxxxx> > Send reply to: Community support for Fedora users > <users@xxxxxxxxxxxxxxxxxxxxxxx> > > > From:    Zdenek Pytela <<a > href="mailto:zpytela@xxxxxxxxxx"; > target="_blank">zpytela@xxxxxxxxxx </a>><br> > > Subject:         Re: Noticed Failed > message with selinux-policy-targeted on 3 of 5 machines??<br> > > To:      <a href="mailto:mikes@xxxxxxxx"; > target="_blank">mikes@xxxxxxxx</a>,<br> > > > > > > > > On Thu, Sep 21, 2023 at 12:28 AM Michael D. Setzer II > <mikes@xxxxxxxx> > > wrote: > > On 20 Sep 2023 at 19:57, Zdenek Pytela wrote: > > > > From: Zdenek Pytela <zpytela@xxxxxxxxxx> > > Date sent: Wed, 20 Sep 2023 19:57:31 +0200 > > Subject: Re: Noticed Failed message with selinux-policy-targeted > > on 3 of 5 machines?? > > To: mikes@xxxxxxxx, > > Community support for Fedora users > > <users@xxxxxxxxxxxxxxxxxxxxxxx> > > Send reply to: Community support for Fedora users > > <users@xxxxxxxxxxxxxxxxxxxxxxx> > > > > > > > > > > > > > > On Wed, Sep 20, 2023 at 8:25 AM Michael D. Setzer II via users > > > <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > > In running dnf update on 5 machines noticed a fail message on 3 > or > > 5? > > > To double check ran dnf reinstall selinux* and get this on failing > > > systems? > > > > > > Running transaction check > > > Transaction check succeeded. > > > Running transaction test > > > Transaction test succeeded. > > > Running transaction > > > Running scriptlet: > > > selinux-policy-minimum-38.28-1.fc38.noarch 1/1 > > > Running scriptlet: > > > selinux-policy-targeted-38.28-1.fc38.noarch 1/1 > > > Preparing : 1/1 > > > Reinstalling : selinux-policy-38.28-1.fc38.noarch 1/8 > > > Running scriptlet : selinux-policy-38.28-1.fc38.noarch 1/8 > > > Running scriptlet : > > > selinux-policy-minimum-38.28-1.fc38.noarch 2/8 > > > Reinstalling : > > > selinux-policy-minimum-38.28-1.fc38.noarch 2/8 > > > Running scriptlet : > > > selinux-policy-minimum-38.28-1.fc38.noarch 2/8 > > > Running scriptlet : > > > selinux-policy-targeted-38.28-1.fc38.noarch 3/8 > > > Reinstalling : selinux-policy-targeted-38.28-1.fc38.noarch 3/8 > > > Running scriptlet : > > > selinux-policy-targeted-38.28-1.fc38.noarch 3/8 > > > Failed to resolve allow statement at > > > /var/lib/selinux/targeted/tmp/modules/200/container/cil:1186 > > > Failed to resolve AST > > > /usr/sbin/semodule: Failed! > > > > > > Reinstalling : selinux-policy-devel-38.28-1.fc38.noarch 4/8 > > > Running scriptlet : selinux-policy-devel-38.28-1.fc38.noarch 4/8 > > > Cleanup : selinux-policy-devel-38.28-1.fc38.noarch 5/8 > > > Running scriptlet : selinux-policy-38.28-1.fc38.noarch 6/8 > > > Cleanup : selinux-policy-38.28-1.fc38.noarch 6/8 > > > Running scriptlet : selinux-policy-38.28-1.fc38.noarch 6/8 > > > Cleanup : selinux-policy-minimum-38.28-1.fc38.noarch 7/8 > > > Running scriptlet : > > > selinux-policy-minimum-38.28-1.fc38.noarch 7/8 > > > Cleanup : selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > > Running scriptlet : > > > selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > > Running scriptlet : > > > selinux-policy-minimum-38.28-1.fc38.noarch 8/8 > > > Running scriptlet : > > > selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > > Verifying : selinux-policy-38.28-1.fc38.noarch 1/8 > > > Verifying : selinux-policy-38.28-1.fc38.noarch 2/8 > > > Verifying : selinux-policy-devel-38.28-1.fc38.noarch 3/8 > > > Verifying : selinux-policy-devel-38.28-1.fc38.noarch 4/8 > > > Verifying : selinux-policy-minimum-38.28-1.fc38.noarch 5/8 > > > Verifying : selinux-policy-minimum-38.28-1.fc38.noarch 6/8 > > > Verifying : selinux-policy-targeted-38.28-1.fc38.noarch 7/8 > > > Verifying : selinux-policy-targeted-38.28-1.fc38.noarch 8/8 > > > > > > Reinstalled: > > > selinux-policy-38.28-1.fc38.noarch > > > selinux-policy-devel-38.28-1.fc38.noarch > > > selinux-policy-minimum-38.28-1.fc38.noarch > > > selinux-policy-targeted-38.28-1.fc38.noarch > > > > > > Complete! > > > > > > Other day get a message about about regex version not matching, > > and > > > was told to > > > reintall container-selinux. That doesn't seem to fix issue. > > > Did find changing to minimum option gets rid of the regex > message? > > > But why 2 of the machines seem to have no problem, but other 3 > get > > > same message? > > > Michael, > > > > > > The update restults may depend on other components or if some > > > customizations are in place. What version is container-selinux? > > > > > > rpm -qa "selinux-policy*" "*-selinux" > > > > > > > rpm -qa | grep selinux-policy > > selinux-policy-38.28-1.fc38.noarch > > selinux-policy-minimum-38.28-1.fc38.noarch > > selinux-policy-devel-38.28-1.fc38.noarch > > selinux-policy-doc-38.28-1.fc38.noarch > > selinux-policy-targeted-38.28-1.fc38.noarch > > I wanted to see other packages, too. Maybe also > > > > semodule -lfull | grep -v ^100 > > > > > > Noticed one machine that gets failed didn't have selinux-policy-doc > > installed and installed it, then tried reinstalling all the > > selinux-policy and still got error? > > Failed to resolve allow statement at > > /var/lib/selinux/targeted/tmp/modules/200/container/cil:1186 > > Failed to resolve AST > > /usr/sbin/semodule: Failed! > > Files in that directory are > > -rw-------. 1 root root 2 Sep 21 08:09 lang_ext > > -rw-------. 1 root root 24411 Sep 21 08:09 hll > > -rw-------. 1 root root 13487 Sep 21 08:09 cil > > > > The cil file is a binary file, so not sure what :1186 means? > > that tmp directory doesn't exist on my notebook that doesn't have > > error? > > It's a temporary directory used for the policy rebuild. Try this: > > > > f39# file /var/lib/selinux/targeted/active/modules/200/container/cil > > /var/lib/selinux/targeted/active/modules/200/container/cil: bzip2 > compressed data, block size = > > 500k > > f39# file -z /var/lib/selinux/targeted/active/modules/200/container/cil > > /var/lib/selinux/targeted/active/modules/200/container/cil: ASCII > text, with very long lines (446) > > (bzip2 compressed data, block size = 500k) > > f39# bunzip2 > </var/lib/selinux/targeted/active/modules/200/container/cil | sed -n > '1180,1187p' > > > > What's in the output? > > (allow container_runtime_domain spc_t (netlink_crypto_socket > (relabelfrom relabelto))) > (allow container_runtime_domain spc_t (sctp_socket (relabelfrom > relabelto))) > (allow container_runtime_domain spc_t (icmp_socket (relabelfrom > relabelto))) > (allow container_runtime_domain spc_t (ax25_socket (relabelfrom > relabelto))) > (allow container_runtime_domain spc_t (ipx_socket (relabelfrom > relabelto))) > (allow container_runtime_domain spc_t (netrom_socket (relabelfrom > relabelto))) > (allow container_runtime_domain spc_t (bridge_socket (relabelfrom > relabelto))) > (allow container_runtime_domain spc_t (atmpvc_socket (relabelfrom > relabelto))) > > It looks like you have quite an old container-selinux installed. (I already > asked twice to confirm.) > All 5 machines show the same container-selinux-2.221.1-1.fc38.noarch So, why it works on some, but not others? > > > > > > set selinux to minimal on machines. > > Don't understand this. > > /usr/bin/python3 -Es > /usr/share/system-config-selinux/system-config-selinux.py > Under Status set to Permissive, Permissive, Minimum > since Targeted was showing failed message. > I'd never recommend using minimum policy to work around instead of > resolving a problem. > > > > > > > > > > I cannot reproduce your problem using any updating path with the > > latest > > > package versions. > > > > > > _______________________________________________ > > > users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx > > > To unsubscribe send an email to > users-leave@xxxxxxxxxxxxxxxxxxxxxxx > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > > > https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxx > > > g > > > Do not reply to spam, report it: > > > https://pagure.io/fedora-infrastructure/new_issue > > > > > > > > > -- > > > > > > Zdenek Pytela > > > Security SELinux team > > > > > > +------------------------------------------------------------+ > > Michael D. Setzer II - Computer Science Instructor (Retired) > > mailto:mikes@xxxxxxxx > > mailto:msetzerii@xxxxxxxxx > > Guam - Where America's Day Begins > > G4L Disk Imaging Project maintainer > > http://sourceforge.net/projects/g4l/ > > +------------------------------------------------------------+ > > > > > > > > > > > > -- > > > > Zdenek Pytela > > Security SELinux team > > > +------------------------------------------------------------+ > Michael D. Setzer II - Computer Science Instructor (Retired) > mailto:mikes@xxxxxxxx > mailto:msetzerii@xxxxxxxxx > Guam - Where America's Day Begins > G4L Disk Imaging Project maintainer > http://sourceforge.net/projects/g4l/ > +------------------------------------------------------------+ > > > > > > -- > > Zdenek Pytela > Security SELinux team +------------------------------------------------------------+ Michael D. Setzer II - Computer Science Instructor (Retired) mailto:mikes@xxxxxxxx mailto:msetzerii@xxxxxxxxx Guam - Where America's Day Begins G4L Disk Imaging Project maintainer http://sourceforge.net/projects/g4l/ +------------------------------------------------------------+ _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
