I confirm that this update solves the problems.

• "dnf upgrade" doesn't show scriptlet error as before.
• SELinux fcontext are correct after update, e.g. in /etc/usbguard/ .
• setroubleshoot doesn't run a process that consumes nearly 100% cpu.

Thanks!

I have the same problem like @cmorris after updating selinux-policy* to 41.31-1.fc41

I have reinstalled usbguard-selinux and flatpak-selinux as suggested by fives, it seams to fix the problem.

Before: There seams no fcontext rules for /etc/usbguard available:

semanage fcontext -l |grep usbguard

ll -dZ /etc/usbguard

drwxr-xr-x. 4 root root system_u:object_r:unlabeled_t:s0 4096 15. Dez 02:00 /etc/usbguard

ll -Z /etc/usbguard

insgesamt 16 drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 4096 20. Jul 2024 IPCAccessControl.d -rw-------. 1 root root system_u:object_r:unlabeled_t:s0 0 20. Jul 2024 rules.conf drwxr-xr-x. 2 root root system_u:object_r:unlabeled_t:s0 4096 20. Jul 2024 rules.d -rw-------. 1 root root system_u:object_r:unlabeled_t:s0 5366 20. Jul 2024 usbguard-daemon.conf

restorecon -rv /etc

restorecon: Could not set context for /etc/sysconfig/snapd: Invalid argument restorecon: Could not set context for /etc/smartmontools/smartd_warning.sh: Invalid argument Relabeled /etc/lvm/devices/system.devices from system_u:object_r:lvm_metadata_t:s0 to system_u:object_r:lvm_etc_t:s0 Relabeled /etc/lvm/devices/backup/system.devices-20250109.053811.0004 from system_u:object_r:lvm_metadata_t:s0 to system_u:object_r:lvm_etc_t:s0 restorecon: Could not set context for /etc/usbguard: Invalid argument restorecon: Could not set context for /etc/usbguard/IPCAccessControl.d: Invalid argument restorecon: Could not set context for /etc/usbguard/rules.conf: Invalid argument restorecon: Could not set context for /etc/usbguard/rules.d: Invalid argument restorecon: Could not set context for /etc/usbguard/usbguard-daemon.conf: Invalid argument

Reinstalling flatpak-selinux has errors in scriptlet:

Fertiggestellt post-install scriptlet: flatpak-selinux-0:1.16.0-1.fc41.noarch Scriptlet Ausgabe: Problems processing filecon rules Failed post db handling Post process failed semodule: Failed!

Reinstalling usbguard-selinux runs /usr/sbin/fixfiles (...) by scriptlet.

After: SELinux fcontext rules are available again:

semanage fcontext -l|grep usbguard

/dev/shm/qb-usbguard-. regular file system_u:object_r:usbguard_tmpfs_t:s0 /etc/usbguard(/.)? all files system_u:object_r:usbguard_conf_t:s0 /etc/usbguard/rules.conf regular file system_u:object_r:usbguard_rules_t:s0 /etc/usbguard/rules.d(/.)? all files system_u:object_r:usbguard_rules_t:s0 /run/usbguard. regular file system_u:object_r:usbguard_var_run_t:s0 /usr/bin/usbguard-daemon regular file system_u:object_r:usbguard_exec_t:s0 /usr/bin/usbguard-dbus regular file system_u:object_r:usbguard_exec_t:s0 /usr/lib/systemd/system/usbguard. regular file system_u:object_r:usbguard_unit_file_t:s0 /usr/sbin/usbguard-daemon regular file system_u:object_r:usbguard_exec_t:s0 /usr/sbin/usbguard-dbus regular file system_u:object_r:usbguard_exec_t:s0 /var/log/usbguard(/.)? all files system_u:object_r:usbguard_log_t:s0

ll -Za /etc/usbguard/

insgesamt 40 drwxr-xr-x. 4 root root system_u:object_r:usbguard_conf_t:s0 4096 15. Dez 02:00 . drwxr-xr-x. 337 root root system_u:object_r:etc_t:s0 20480 4. Feb 01:21 .. drwxr-xr-x. 2 root root system_u:object_r:usbguard_conf_t:s0 4096 20. Jul 2024 IPCAccessControl.d -rw-------. 1 root root system_u:object_r:usbguard_rules_t:s0 0 20. Jul 2024 rules.conf drwxr-xr-x. 2 root root system_u:object_r:usbguard_rules_t:s0 4096 20. Jul 2024 rules.d -rw-------. 1 root root system_u:object_r:usbguard_conf_t:s0 5366 20. Jul 2024 usbguard-daemon.conf

There was also a problem with some files in /usr/bin and /usr/sbin, which also got fcontext unlabeled_t after installing selinux-policy*41.31-1.fc41. After reinstalling usbguard-selinux and flatpak-selinux this seams also fixed.

ll -Z /usr/bin/ceph-mds

-rwxr-xr-x. 1 root root system_u:object_r:ceph_exec_t:s0 8765432 25. Nov 01:00 /usr/bin/ceph-mds

From /var/log/dnf5.log:

/var/log/dnf5.log:2025-02-03T23:47:31+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/ceph-mds: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:31+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/ceph-fuse: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:31+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/ceph-mon: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:31+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-usernsexec: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-wait: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-snapshot: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/docker-compose: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/swtpm: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/crun: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-checkconfig: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-monitor: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-device: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/fail2ban-server: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-top: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:32+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/passt.avx2: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-stop: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-cgroup: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-destroy: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/snap: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-execute: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/podman: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-console: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:33+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/passt: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/ceph-mgr: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-update-config: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/fail2ban-client: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-info: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-unshare: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-config: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-freeze: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/ceph-osd: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-checkpoint: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/docker: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-attach: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:34+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-unfreeze: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-ls: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/conmon: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-copy: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-start: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/buildah: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/pasta: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-create: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/lxc-autostart: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/bin/pasta.avx2: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/sbin/vncsession: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:35+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/sbin/nbdkit: Invalid argument /var/log/dnf5.log:2025-02-03T23:47:36+0000 [1721117] INFO [scriptlet] /usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon: Invalid argument

Thank you for build the new version. It works as it should.

@markec If you upgrade a package, then the post-uninstall scriptlet that runs is that from the "old" package. This is the reason why you see the warning messages. The "new" package has the problem fixed, and you don't see those messages from the install and update scriptlets from the "new" package. If another (next) update occur, then the post-uninstall scriptlet of the current "new" package (which is the "old" for the next update) is run, which has fixed the problem.

Works for me.

Works on our servers and workstations.

Works for me.

Works without problems. I also wonder about the release numbering. I would have expected 5.fc40 instead of 1.fc40.4 . It seams to me that only openssh uses this numbering schema.

Works on our systems. (Download from koji.)

Works on our systems. (Download from koji.)

Works for me.

Update: gnome-shell uses 100% cpu again now. But I found no regression otherwise.

Works for me. gnome-shell hasn't used 100% cpu since this update. (Before, I had to reboot my workstation after some days because gnome-shell has used 100% cpu. But there was no usable error message in the system logs. I'm unsure if there is a bug report for this.)

Work on our workstations and server. But bug 2282287 still exists.

This update solves the selinux problem on /run/fail2ban/ described in bug 2279054. Thanks for the update!