Comments

166 Comments
Transaction test error:
  file /usr/share/themes/Yaru-dark/gnome-shell from install of gnome-shell-theme-yaru-20.04.6-1.fc32.noarch
  conflicts with file from package gnome-shell-theme-yaru-19.10.4-1.20191118git1937b28.fc32.noarch

WOW! Sorry!

It seems I mistakenly updated this on FC32 ))

Updated from selinux-policy-3.14.5-36 and this time everything was OK

# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      32
$ podman search fedora
INDEX               NAME                                            DESCRIPTION                                       STARS   OFFICIAL   AUTOMATED
fedoraproject.org   registry.fedoraproject.org/f29/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f30/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f31/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f32/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/f33/fedora-toolbox                                                     0                  
fedoraproject.org   registry.fedoraproject.org/fedora                                                                 0                  
fedoraproject.org   registry.fedoraproject.org/fedora-minimal                                                         0                  
docker.io           docker.io/library/fedora                        Official Docker builds of Fedora                  866     [OK]       
docker.io           docker.io/mattsch/fedora-nzbhydra               Fedora NZBHydra                                   5                  [OK]
docker.io           docker.io/smartentry/fedora                     fedora with smartentry                            0                  [OK]
docker.io           docker.io/mattsch/fedora-sonarr                 Fedora Sonarr                                     0                  [OK]
docker.io           docker.io/ovirtguestagent/fedora-atomic         The oVirt Guest Agent for Fedora Atomic Host...   0                  
docker.io           docker.io/darksheer/fedora23                    Hourly updated Fedora 23                          1                  [OK]
docker.io           docker.io/fedora/apache                                                                           36                 [OK]
docker.io           docker.io/darksheer/fedora22                    Base Fedora 22 Image -- Updated hourly            3                  [OK]
docker.io           docker.io/darksheer/fedora                      Hourly update latest Fedora Image                 1                  [OK]
docker.io           docker.io/darksheer/fedora24                    Hourly update Fedora 24                           1                  [OK]
docker.io           docker.io/vbatts/fedora-varnish                 https://github.com/vbatts/laughing-octo/tree...   2                  [OK]
docker.io           docker.io/darksheer/fedora25                    Hourly updated Fedora 24 Docker Hub Image         1                  [OK]
docker.io           docker.io/vergissberlin/fedora-development      Docker fedora image to use for development, ...   2                  [OK]
docker.io           docker.io/mattsch/fedora-nzbhydra2              Fedora NZBHydra2 (Java based)                     0                  [OK]
docker.io           docker.io/amd64/fedora                          Official Docker builds of Fedora                  0                  
docker.io           docker.io/rhub/fedora-gcc-devel                 R-devel on Fedora latest                          0                  
docker.io           docker.io/dokken/fedora-latest                  fedora-latest image for kitchen-dokken            0                  
docker.io           docker.io/arm64v8/fedora                        Official Docker builds of Fedora                  1                  
docker.io           docker.io/ppc64le/fedora                        Official Docker builds of Fedora                  1                  
docker.io           docker.io/rhub/fedora-clang-devel               R-devel on Fedora latest, with clang and gfo...   0                  
docker.io           docker.io/langdon/fedora-mssqlserver            Microsoft SQL Server running on Fedora. You ...   0                  [OK]
docker.io           docker.io/embreedocker/fedora                   Automated build of Fedora Docker images for ...   0                  [OK]
docker.io           docker.io/vcatechnology/fedora                  A Fedora image that is updated daily              0                  [OK]
docker.io           docker.io/arm32v7/fedora                        Official Docker builds of Fedora                  3                  
docker.io           docker.io/fedora/nginx                                                                            20                 [OK]
rpm -qa | grep container-selinux
container-selinux-2.131.0-1.fc32.noarch


rpm -qa | grep selinux-policy
selinux-policy-3.14.5-36.fc32.noarch
selinux-policy-minimum-3.14.5-36.fc32.noarch
selinux-policy-targeted-3.14.5-36.fc32.noarch

I do not use containers much. Right now I launched HandBrake via bwrap and everything went OK.

As for me, I created semodule on the fly for restorecon, but waited for about an hour for selinux-policy-targeted scriptlet to finish and forcibly interrupted the process. Then I manually cleaned up undeleted versions of upgraded packages and performed touch /.autorelabel. So at the moment I have the latest versions of selinux-policy & container-selinux installed.

@sedrubal

To avoid downgrading it can work out by executing touch /.autorelabel after manual cleanup undeleted previous versions of packages:)

I did something similar too, but without a rollback to the previous version.

It would be worth scriptletting update to execute touch /.autorelabel during the next reboot instead of starting restorecon.

Update is holding over on running scriptlet selinux-policy-targeted-3.14.5-36.fc32.noarch

SELinux is preventing restorecon from using the mac_admin capability.

Additional Information:
Source Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                          3
Target Context                unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c102
                          3
Target Objects                Unknown [ capability2 ]
Source                        restorecon
Source Path                   restorecon
Port                          <Unknown>
Host                          localhost
Local Policy RPM              selinux-policy-targeted-3.14.5-34.fc32.noarch
                          selinux-policy-targeted-3.14.5-36.fc32.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     localhost
Platform                      Linux 5.6.2 #1 SMP Thu
                          Apr 2 23:50:41 EEST 2020 x86_64 x86_64
Alert Count                   1
First Seen                    2020-04-09 23:41:01 EEST
Last Seen                     2020-04-09 23:41:01 EEST

Raw Audit Messages
type=AVC msg=audit(1586464861.926:256): avc:  denied  { mac_admin } for  pid=29605 comm="restorecon" capability=33  scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0


Hash: restorecon,setfiles_t,setfiles_t,capability2,mac_admin
ERROR: Can't open /var/log/freshclam.log in append mode (check permissions!).
ERROR: Problem with internal logger (UpdateLogFile = /var/log/freshclam.log).
ERROR: initialize: libfreshclam init failed.
ERROR: Initialization error!

Transactions are going only after --exclude avogadro2-libs

@sagitter

It's not pulls up for a few of weeks and dnf does no respond for --allowerasing --best --skip-broken

Transaction test error:
  file /usr/lib64/avogadro2/scripts from install of avogadro2-libs-1.93.0-3.fc32.x86_64
conflicts with file from package avogadro2-libs-1.93.0-1.fc32.x86_64

Some omissible errors with FAT32 UEFI partition:

error: lsetfilecon: (/boot/efi/EFI/fedora, system_u:object_r:boot_t:s0) Operation not supported

error: lsetfilecon: (/boot/efi/EFI/fedora/fonts, system_u:object_r:boot_t:s0) Operation not supported
error: lsetfilecon: (/boot/efi/EFI/fedora/grubx64.efi;5e1d7551, system_u:object_r:boot_t:s0) Operation not supported
Transaction test error:
  file /usr/share/locale/en_GB/LC_MESSAGES/libkicker.mo from install of plasma-workspace-5.17.3-1.fc31.x86_64
conflicts with file from package kde-i18n-British-1:3.5.10-30.fc31.noarch
  file /usr/share/locale/fr/LC_MESSAGES/libkicker.mo from install of plasma-workspace-5.17.3-1.fc31.x86_64
conflicts with file from package kde-i18n-French-1:3.5.10-30.fc31.noarch
  file /usr/share/locale/ru/LC_MESSAGES/libkicker.mo from install of plasma-workspace-5.17.3-1.fc31.x86_64
conflicts with file from package kde-i18n-Russian-1:3.5.10-30.fc31.noarch
  file /usr/share/locale/uk/LC_MESSAGES/libkicker.mo from install of plasma-workspace-5.17.3-1.fc31.x86_64
conflicts with file from package kde-i18n-Ukrainian-1:3.5.10-30.fc31.noarch


Transaction test error:
  file /usr/share/color-schemes/Oxygen.colors from install of qt5-style-oxygen-5.17.3-1.fc31.x86_64
conflicts with file from package plasma-desktop-5.16.5-1.fc31.x86_64
  file /usr/share/color-schemes/OxygenCold.colors from install of qt5-style-oxygen-5.17.3-1.fc31.x86_64
conflicts with file from package plasma-desktop-5.16.5-1.fc31.x86_64

Works well here

Works on my x86_64, but dnf outputs some complaints during installation:

error: lsetfilecon: (/boot/efi/EFI/fedora/fonts, system_u:object_r:boot_t:s0) Operation not supported
error: lsetfilecon: (/boot/efi/EFI/fedora/grubx64.efi;5d9ba597, system_u:object_r:boot_t:s0) Operation not supported
 Problem 2: package python3-upt-pypi-0.4-1.fc31.noarch requires upt, but none of the providers can be installed
  - package python3-upt-pypi-0.4-1.fc31.noarch requires python3.7dist(upt) >= 0.9, but none of the providers can be installed
  - conflicting requests
  - nothing provides python3-spdx-lookup needed by upt-0.10.3-1.fc31.noarch
  - nothing provides python3.7dist(spdx-lookup) needed by upt-0.10.3-1.fc31.noarch
 Problem 1: conflicting requests
  - nothing provides python3-spdx-lookup needed by upt-0.10.3-1.fc31.noarch
  - nothing provides python3.7dist(spdx-lookup) needed by upt-0.10.3-1.fc31.noarch