Fabian Vogt changed bug 1201348
What Removed Added
Status NEW CONFIRMED
Component Other Security
Assignee dimstar@opensuse.org jsegitz@suse.com

Comment # 5 on bug 1201348 from 
(In reply to Fabian Vogt from comment #4)
> (In reply to Fabian Vogt from comment #3)
> > (In reply to Dominique Leuenberger from comment #2)
> > > @Fabien: you mentioned that you had a more recent image available that we
> > > could use for the update tests?
> > > 
> > > This image in use is ~ 2 years old - half an eternity for a rolling distro.
> > > Having a more recent base might be close to reality
> > 
> > Yep, 20220301, which is reasonable IMO. I swapped it out and triggered a run:
> > https://openqa.opensuse.org/tests/2462901#step/tdup/11
> > 
> > Now it fails in two other ways instead :-/
> 
> Time to get into the rabbit hole!
> 
> libpcre2-8-0 gets updated, which apparently invalidates the semodule cache
> or something like that. That's the cause of the "regex version mismatch"
> messages. However, the cache can't be rebuilt for two separate reasons:
> 1. For some reason, if combustion ran on the first boot, some files in
> /var/lib/selinux/... get missing (rpm -qV selinux-policy-targeted complains)

That reason for that was a bug in the old transactional-update, which is fixed
meanwhile. With t-u selfupdate enabled (the case if either combustion or
ignition enable network), this doesn't appear anymore. This is the case in
openQA, so we can ignore this.

> 2. Avoiding combustion, the files are there, but semodule -B fails anyway:
> Failed to resolve allow statement at
> /var/lib/selinux/targeted/tmp/modules/200/container/cil:1257
> Failed to resolve AST
> /usr/sbin/semodule:  Failed!
> 
> This can be reproduced easily by just updating libpcre2-8-0 only and then
> running semodule -B. Updating policyutils (and libselinux etc.) doesn't help
> either.

The reason for that is that the policy is invalid until container-selinux is
also updated. So we need some dependency to ensure that selinux-policy-targeted
is updated (closely) together with container-selinux. Reassigning.

That also (eventually) gets rid of the regex version mismatch issues, though
the right fix for that is apparently to have libselinux or a similar package
install a file trigger for libpcre updates to call semodule -B:
https://bugzilla.redhat.com/show_bug.cgi?id=2013642#c7

You are receiving this mail because: