What | Removed | Added |
---|---|---|
Status | NEW | CONFIRMED |
Component | Other | Security |
Assignee | dimstar@opensuse.org | jsegitz@suse.com |
(In reply to Fabian Vogt from comment #4) > (In reply to Fabian Vogt from comment #3) > > (In reply to Dominique Leuenberger from comment #2) > > > @Fabien: you mentioned that you had a more recent image available that we > > > could use for the update tests? > > > > > > This image in use is ~ 2 years old - half an eternity for a rolling distro. > > > Having a more recent base might be close to reality > > > > Yep, 20220301, which is reasonable IMO. I swapped it out and triggered a run: > > https://openqa.opensuse.org/tests/2462901#step/tdup/11 > > > > Now it fails in two other ways instead :-/ > > Time to get into the rabbit hole! > > libpcre2-8-0 gets updated, which apparently invalidates the semodule cache > or something like that. That's the cause of the "regex version mismatch" > messages. However, the cache can't be rebuilt for two separate reasons: > 1. For some reason, if combustion ran on the first boot, some files in > /var/lib/selinux/... get missing (rpm -qV selinux-policy-targeted complains) That reason for that was a bug in the old transactional-update, which is fixed meanwhile. With t-u selfupdate enabled (the case if either combustion or ignition enable network), this doesn't appear anymore. This is the case in openQA, so we can ignore this. > 2. Avoiding combustion, the files are there, but semodule -B fails anyway: > Failed to resolve allow statement at > /var/lib/selinux/targeted/tmp/modules/200/container/cil:1257 > Failed to resolve AST > /usr/sbin/semodule: Failed! > > This can be reproduced easily by just updating libpcre2-8-0 only and then > running semodule -B. Updating policyutils (and libselinux etc.) doesn't help > either. The reason for that is that the policy is invalid until container-selinux is also updated. So we need some dependency to ensure that selinux-policy-targeted is updated (closely) together with container-selinux. Reassigning. That also (eventually) gets rid of the regex version mismatch issues, though the right fix for that is apparently to have libselinux or a similar package install a file trigger for libpcre updates to call semodule -B: https://bugzilla.redhat.com/show_bug.cgi?id=2013642#c7