Comments

1151 Comments

openQA updates all pass, indicating the upower bug is fixed and the gnome-software / flatpak thing is gone too.

BZ#1748997 UPower does not start due to inability to create /var/lib/upower

Update now contains a newer container-selinux, and should work.

OK, so I updated container-selinux's dependency on selinux-policy and bumped the update. Hopefully everything should work now, except possibly @aanno 's bug, but unless the update makes it worse, that's not a reason to -1 it. Please let us know if anyone still sees things worse than the previous stable policy.

Ah, seems to be the same issue we ran into earlier with F31 - FEDORA-2019-fefda9dd5e . Apparently a newer container-selinux is needed. @dwalsh

Ah, seems to be the same issue we ran into earlier with F31 - FEDORA-2019-fefda9dd5e . Apparently a newer container-selinux is needed. @dwalsh

Sorry, changing my feedback: this fixes 1748997, but introduces a new bug. It breaks GNOME Software by causing various denials for flatpak:

Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32060]: AVC avc:  denied  { mac_admin } for  pid=32060 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)
Dec 04 00:25:19 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signull } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:16 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signull } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:26 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2515]: AVC avc:  denied  { read } for  pid=2515 comm="gdbus" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0" trawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2515]: AVC avc:  denied  { search } for  pid=2515 comm="gdbus" name="/" dev="dm-0" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0"
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:26:27 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[731]: USER_AVC pid=731 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Dec 04 00:30:07 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2361]: AVC avc:  denied  { execute } for  pid=2361 comm="(m-helper)" name="flatpak-system-helper" dev="dm-0" ino=424676 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"

1748997 fix confirmed in openQA testing.

BZ#1748997 UPower does not start due to inability to create /var/lib/upower

I hereby endorse this code!

openQA test failures here are because this libdnf requires librepo 1.11.0 or later, but FEDORA-2019-7cafbe66ba (which contains librepo 1.11.0) hasn't gone stable yet, it's pending. I'll refire the tests after that goes stable.

per discussion in FEDORA-2019-fefda9dd5e , it would probably be a good idea to do a new build with a higher selinux-policy dependency and add that build to FEDORA-2019-fefda9dd5e rather than having two separate updates.

so @dwalsh , could you update container-selinux to depend on a newer selinux-policy , and then we can add the new container-selinux build to this update and obsolete FEDORA-2019-edc1551b22 ? thanks!

@lvrabec yes, I can test scratch builds. Just give me the link and I can fire it. @lslebodn , if you think this should be fixed by changing container-selinux, we need to confirm it with container-selinux devs and add a container-selinux build to this update...@dwalsh , ping on this?

The openQA update tests are strictly limited to the update in question: we start from a disk image built by virt-install, update it from the stable update repository, then add a repository containing only packages from the update. The openQA test fails consistently when run on this update, but passes when run on other updates. So the problem is definitely caused by this update, not by anything else.

This breaks gnome-software in openQA testing. Trying to install updates it just gets stuck at "Software catalog is being downloaded". The system journal shows quite a lot of AVCs, including ones for flatpak_helper_t which are probably the issue here:

[adamw@adam tmp]$ journalctl --file var/log/journal/574fce5929ad42c790052a6349619665/system.journal  | grep -i avc
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:35 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[32304]: AVC avc:  denied  { mac_admin } for  pid=32304 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0
Nov 22 08:48:37 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  received policyload notice (seqno=2)
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { signal } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:43 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1]: AVC avc:  denied  { sigkill } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=process permissive=0 trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:44 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Nov 22 08:48:45 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[708]: USER_AVC pid=708 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for  scontext=system_u:system_r:policykit_t:s0 tcontext=system_u:system_r:flatpak_helper_t:s0 tclass=dbus permissive=0
Nov 22 08:48:45 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2461]: AVC avc:  denied  { read } for  pid=2461 comm="gdbus" scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=unix_stream_socket permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0" trawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:48:45 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[2461]: AVC avc:  denied  { search } for  pid=2461 comm="gdbus" name="/" dev="dm-0" ino=2 scontext=system_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0 srawcon="system_u:system_r:flatpak_helper_t:s0"
Nov 22 08:50:17 ibm-p8-kvm-03-guest-02.virt.pnr.lab.eng.rdu2.redhat.com audit[1944]: AVC avc:  denied  { execute } for  pid=1944 comm="(m-helper)" name="flatpak-system-helper" dev="dm-0" ino=272205 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:flatpak_helper_exec_t:s0"

This seems to be working well enough to go out.

Indeed, openQA tests passed this time.

karma

This update should NEVER BE PUSHED, it breaks dependencies if pushed alone and a newer dnf build is in this multi-package update.

yep, openQA runs into the same problem:

 Problem: package python3-requests-2.21.0-2.fc30.noarch requires python3.7dist(urllib3) < 1.25, but none of the providers can be installed
  - cannot install both python3-urllib3-1.25.7-1.fc30.noarch and python3-urllib3-1.24.3-2.fc30.noarch
  - cannot install both python3-urllib3-1.24.3-2.fc30.noarch and python3-urllib3-1.25.7-1.fc30.noarch
  - cannot install both python3-urllib3-1.24.1-3.fc30.noarch and python3-urllib3-1.25.7-1.fc30.noarch
  - cannot install the best update candidate for package python3-urllib3-1.24.3-2.fc30.noarch
  - cannot install the best update candidate for package python3-requests-2.21.0-2.fc30.noarch
karma

This breaks anaconda - an installer image built with this DNF fails to successfully complete an install, with this traceback:

08:02:48,050 CRT exception: Traceback (most recent call last):

  File "/usr/lib64/python3.7/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)

  File "/usr/lib64/python3.7/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation.py", line 394, in run_installation
    queue.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 305, in start
    item.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 305, in start
    item.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 305, in start
    item.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 484, in start
    self.run_task()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 450, in run_task
    self._task(*self._task_args, **self._task_kwargs)

  File "/usr/lib64/python3.7/site-packages/pyanaconda/payload/dnfpayload.py", line 1404, in post_install
    self._base.close()

  File "/usr/lib/python3.7/site-packages/dnf/base.py", line 466, in close
    self._finalize_base()

  File "/usr/lib/python3.7/site-packages/dnf/base.py", line 445, in _finalize_base
    "'%s'."), "{prog} clean packages").format(prog=dnf.util.MAIN_PROG)

AttributeError: 'NoneType' object has no attribute 'format'
karma

This breaks anaconda - an installer image built with this DNF fails to successfully complete an install, with this traceback:

08:02:48,050 CRT exception: Traceback (most recent call last):

  File "/usr/lib64/python3.7/site-packages/pyanaconda/threading.py", line 280, in run
    threading.Thread.run(self)

  File "/usr/lib64/python3.7/threading.py", line 870, in run
    self._target(*self._args, **self._kwargs)

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation.py", line 394, in run_installation
    queue.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 305, in start
    item.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 305, in start
    item.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 305, in start
    item.start()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 484, in start
    self.run_task()

  File "/usr/lib64/python3.7/site-packages/pyanaconda/installation_tasks.py", line 450, in run_task
    self._task(*self._task_args, **self._task_kwargs)

  File "/usr/lib64/python3.7/site-packages/pyanaconda/payload/dnfpayload.py", line 1404, in post_install
    self._base.close()

  File "/usr/lib/python3.7/site-packages/dnf/base.py", line 466, in close
    self._finalize_base()

  File "/usr/lib/python3.7/site-packages/dnf/base.py", line 445, in _finalize_base
    "'%s'."), "{prog} clean packages").format(prog=dnf.util.MAIN_PROG)

AttributeError: 'NoneType' object has no attribute 'format'