Comment # 5 on bug 1233738 from Joe S 
(In reply to Johannes Segitz from comment #4)
> https://build.opensuse.org/package/show/home:jsegitz:branches:security:
> SELinux_bsc1233738_6/selinux-policy
> 
> will contain the fix (once it build)

Hi Johannes,

Thanks for taking a look at this.

Sorry for the delay, I have been sick in bed last few days.

Here's the console log of trying to install the rpm
---------------------------------------------------

zypper -v install /tmp/selinux-policy-20241118-308.1.noarch.rpm

Verbosity: 2
Non-option program arguments: '/tmp/selinux-policy-20241118-308.1.noarch.rpm'
'/tmp/selinux-policy-20241118-308.1.noarch.rpm' looks like an RPM file. Will
try to download it.
Initializing Target
Checking whether to refresh metadata for google-chrome
Retrieving: repomd.xml
...........................................................................................................................................................................................................................[done]
Checking whether to refresh metadata for openSUSE-Tumbleweed-Non-Oss (20241119)
Retrieving: repomd.xml
...............................................................................................................................................................................................................[done
(1.1 KiB/s)]
Checking whether to refresh metadata for Open H.264 Codec (openSUSE Tumbleweed)
Retrieving: repomd.xml
.................................................................................................................................................................................................................[done
(242 B/s)]
Checking whether to refresh metadata for openSUSE-Tumbleweed-Oss (20241119)
Retrieving: repomd.xml
...............................................................................................................................................................................................................[done
(1.1 KiB/s)]
Checking whether to refresh metadata for openSUSE-Tumbleweed-Update
Retrieving: repomd.xml
...............................................................................................................................................................................................................[done
(1.1 KiB/s)]
Checking whether to refresh metadata for Plain RPM files cache
Loading repository data...
Reading installed packages...
Selecting 'selinux-policy-20241118-308.1.noarch' from repository 'Plain RPM
files cache' for installation.
Resolving package dependencies...
Force resolution: No

Problem: 1: the installed selinux-policy-targeted-20241105-1.1.noarch requires
'selinux-policy = 20241105-1.1', but this requirement cannot be provided
 Solution 1: Following actions will be done:
  deinstallation of selinux-policy-targeted-20241105-1.1.noarch
  deinstallation of patterns-base-selinux-20200505-59.1.x86_64
  deinstallation of container-selinux-2.232.1-1.2.noarch
 Solution 2: do not install selinux-policy-20241118-308.1.noarch
 Solution 3: break selinux-policy-targeted-20241105-1.1.noarch by ignoring some
of its dependencies

Choose from above solutions by number or cancel [1/2/3/c/d/?] (c): 1
Applying solution 1

Resolving dependencies...
Resolving package dependencies...
Force resolution: No

The following package is going to be upgraded:
  selinux-policy  20241105-1.1 -> 20241118-308.1

The following package is going to change vendor:
  selinux-policy  20241105-1.1 -> 20241118-308.1  openSUSE ->
obs://build.opensuse.org/home:jsegitz

The following 3 packages are going to be REMOVED:
  container-selinux        2.232.1-1.2
  patterns-base-selinux    20200505-59.1
  selinux-policy-targeted  20241105-1.1

The following pattern is going to be REMOVED:
  selinux  20200505-59.1

1 package to upgrade, 3 to remove, 1 to change vendor.

Package download size:    82.1 KiB

Package install size change:
              |      25.0 KiB  required by packages that will be installed
   -24.8 MiB  |  -   24.8 MiB  released by packages that will be removed

Backend:  classic_rpmtrans
Continue? [y/n/v/...? shows all options] (y): y
committing
Retrieving: selinux-policy-20241118-308.1.noarch (Plain RPM files cache)       
                                                                               
                                                                    (1/1), 
82.1 KiB
selinux-policy-20241118-308.1.noarch.rpm:
    Header V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY
    Header SHA256 digest: OK
    Header SHA1 digest: OK
    Payload SHA256 digest: OK
    V3 RSA/SHA256 Signature, key ID 3150ff4ecd0ba9c9: NOKEY
    MD5 digest: OK

warning:
/var/tmp/zypp.ROeCQ1/zypper/_tmpRPMcache_/%CLI%/selinux-policy-20241118-308.1.noarch.rpm:
Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY
Looking for gpg key ID CD0BA9C9 in cache /var/cache/zypp/pubkeys.
Repository Plain RPM files cache does not define additional 'gpgkey=' URLs.
selinux-policy-20241118-308.1.noarch (Plain RPM files cache): Signature
verification failed [4-Signatures public key is not available]
Abort, retry, ignore? [a/r/i] (a): i

Checking for file conflicts:
.....................................................................................................................................................................................................................[done]
(1/4) Removing: container-selinux-2.232.1-1.2.noarch
.............................................................................................................................................................................................[done]
warning: /etc/selinux/targeted/contexts/customizable_types saved as
/etc/selinux/targeted/contexts/customizable_types.rpmsave
(2/4) Removing: selinux-policy-targeted-20241105-1.1.noarch
......................................................................................................................................................................................[done]
warning: /var/cache/zypper/RPMS/selinux-policy-20241118-308.1.noarch.rpm:
Header V3 RSA/SHA256 Signature, key ID cd0ba9c9: NOKEY
error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No
such file or directory
error: Plugin selinux: hook tsm_pre failed
(3/4) Installing: selinux-policy-20241118-308.1.noarch
..........................................................................................................................................................................................[error]
Installation of selinux-policy-20241118-308.1.noarch failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): i
error: selabel_open: (/etc/selinux/targeted/contexts/files/file_contexts) No
such file or directory
error: Plugin selinux: hook tsm_pre failed
(4/4) Removing: patterns-base-selinux-20200505-59.1.x86_64
......................................................................................................................................................................................[error]
Removal of (59724)patterns-base-selinux-20200505-59.1.x86_64(@System) failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): i
Running post-transaction scripts
.................................................................................................................................................................................................................[done]
CommitResult  (total 4, done 4, error 0, skipped 0, updateMessages 0)
Checking for running processes using deleted libraries...




semanage boolean -m -1 unconfined_service_transition_to_confined_user
---------------------------------------------------------------------
libsemanage.semanage_read_policydb: Could not open kernel policy
/var/lib/selinux/targeted/active/policy.kern for reading. (No such file or
directory).
FileNotFoundError: No such file or directory



reboot


Obviously that resulted in an unbootable system with error:

    [!!!!!!] Failed to load SELinux policy

During the install of the rpm you provided Option 1 was selected but
I'm sure that the removal of the following packages is what breaks
selinux during the boot.

  container-selinux        2.232.1-1.2
  patterns-base-selinux    20200505-59.1
  selinux-policy-targeted  20241105-1.1

I am new to selinux but I suspect that the expected result would have been
to just install your package to replace the existing one.

To recover I

    Edited the Grub boot item temporarily to set selinux=0
    Rollback back the changes from a before snapshot I took
    rebooted


NOTE:

I am testing this in a KVM vm which was created from a copy of the qcow2 file
that is used by a VM that I regularly use.

After booting the KVM copy the first time, I installed selinux using the
instructions Cathy provided and then removed apparmor.

Prior to installing the test rpm, SELinux has not had any issues other than the
xrdp issue we are discussing here.



Please let me know if you need any other details.

Thanks for your efforts.

You are receiving this mail because: