Foreman RPM nightly pipeline failed:
https://ci.theforeman.org/job/foreman-nightly-rpm-pipeline/2423/
foreman-pipeline-foreman-rpm-nightly (failed) (remote job)
Foreman RPM nightly pipeline failed:
https://ci.theforeman.org/job/foreman-nightly-rpm-pipeline/2423/
foreman-pipeline-foreman-rpm-nightly (failed) (remote job)
[2024-08-28T22:19:43.141Z] # time->Wed Aug 28 22:16:39 2024
[2024-08-28T22:19:43.141Z] # type=PROCTITLE msg=audit(1724883399.898:4974): proctitle=2F7573722F7362696E2F7365747365626F6F6C002D50002D4E00766972745F7573655F6E66733D3100766972745F73616E64626F785F7573655F616C6C5F636170733D31
[2024-08-28T22:19:43.141Z] # type=SYSCALL msg=audit(1724883399.898:4974): arch=c000003e syscall=189 success=no exit=-13 a0=558b9376fac0 a1=7f7f1b57b1c5 a2=558b938355b0 a3=26 items=0 ppid=44840 pid=44841 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=4 comm="setsebool" exe="/usr/sbin/setsebool" subj=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 key=(null)
[2024-08-28T22:19:43.141Z] # type=AVC msg=audit(1724883399.898:4974): avc: denied { relabelfrom } for pid=44841 comm="setsebool" name="lang_ext" dev="vda1" ino=287058 scontext=unconfined_u:unconfined_r:setsebool_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:semanage_store_t:s0 tclass=file permissive=0
The proctitle here is
/usr/sbin/setsebool\x00-P\x00-N\x00virt_use_nfs=1\x00virt_sandbox_use_all_caps=1
Which we do not set, but oh well…
-libselinux-3.6-1.el9.x86_64
-libselinux-utils-3.6-1.el9.x86_64
-libsemanage-3.6-1.el9.x86_64
+libselinux-3.6-2.el9.x86_64
+libselinux-utils-3.6-2.el9.x86_64
+libsemanage-3.6-2.el9.x86_64
The virt_use_nfs
comes from the %postinst
of container-selinux
, but that was not updated between the runs :
# rpm -q --scripts container-selinux
preinstall scriptlet (using /bin/sh):
if /usr/sbin/selinuxenabled; then
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
fi
_policytype=targeted
if [ -z "${_policytype}" ]; then
_policytype="targeted"
fi
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
[ -f /var/lib/rpm-state/file_contexts.pre ] || cp -f /etc/selinux/${SELINUXTYPE}/contexts/files/file_contexts /var/lib/rpm-state/file_contexts.pre
fi
fi
postinstall scriptlet (using /bin/sh):
# Install all modules in a single transaction
if [ $1 -eq 1 ]; then
/usr/sbin/setsebool -P -N virt_use_nfs=1 virt_sandbox_use_all_caps=1
fi
export MODULES=""; for x in container; do MODULES+=/usr/share/selinux/packages/$x.pp.bz2; MODULES+=" "; done;
/usr/sbin/semodule -n -s targeted -r container 2> /dev/null
/usr/sbin/semodule -n -s targeted -d docker 2> /dev/null
/usr/sbin/semodule -n -s targeted -d gear 2> /dev/null
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
fi
_policytype=targeted
if [ -z "${_policytype}" ]; then
_policytype="targeted"
fi
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
/usr/sbin/semodule -n -s ${_policytype} -X 200 -i $MODULES || :
/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
fi
. /etc/selinux/config
sed -e "\|container_file_t|h; \${x;s|container_file_t||;{g;t};a\\" -e "container_file_t" -e "}" -i /etc/selinux/${SELINUXTYPE}/contexts/customizable_types > /dev/null 2>&1
matchpathcon -qV /var/lib/containers || restorecon -R /var/lib/containers &> /dev/null || :
postuninstall scriptlet (using /bin/sh):
if [ $1 -eq 0 ]; then
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
fi
_policytype=targeted
if [ -z "${_policytype}" ]; then
_policytype="targeted"
fi
if [ $1 -eq 0 ]; then
if [ "${SELINUXTYPE}" = "${_policytype}" ]; then
/usr/sbin/semodule -n -X 200 -s ${_policytype} -r container docker &> /dev/null || :
/usr/sbin/selinuxenabled && /usr/sbin/load_policy || :
fi
fi
fi
posttrans scriptlet (using /bin/sh):
if [ -e /etc/selinux/config ]; then
. /etc/selinux/config
fi
_policytype=targeted
if [ -z "${_policytype}" ]; then
_policytype="targeted"
fi
if /usr/sbin/selinuxenabled && [ "${SELINUXTYPE}" = "${_policytype}" ]; then
if [ -f /var/lib/rpm-state/file_contexts.pre ]; then
/usr/sbin/fixfiles -C /var/lib/rpm-state/file_contexts.pre restore &> /dev/null
rm -f /var/lib/rpm-state/file_contexts.pre
fi
fi
#define license tag if not already defined
This is https://issues.redhat.com/browse/RHEL-56109 aka https://issues.redhat.com/browse/RHEL-55414 (private)
If I am reading things correctly, the fix is prepared in * Thu Aug 29 2024 Zdenek Pytela <zpytela@redhat.com> - 38.1.45-1 (!145) · Merge requests · Red Hat / centos-stream / rpms / selinux-policy · GitLab
I’ve opened workaround for broken libsemanage on CentOS Stream 9 by evgeni · Pull Request #1849 · theforeman/forklift · GitHub to workaround this issue for now
An ugly hack never comes alone…
selinux-policy-38.1.45-2.el9 | Build Info | CentOS Stream BuildSys is out, which should fix it.
But it’s not yet on the mirrors.