https://bugzilla.suse.com/show_bug.cgi?id=1201348 https://bugzilla.suse.com/show_bug.cgi?id=1201348#c5 Fabian Vogt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CONFIRMED Component|Other |Security Assignee|dimstar@opensuse.org |jsegitz@suse.com --- Comment #5 from Fabian Vogt --- (In reply to Fabian Vogt from comment #4)

(In reply to Fabian Vogt from comment #3)

...

(In reply to Dominique Leuenberger from comment #2)

...

@Fabien: you mentioned that you had a more recent image available that we could use for the update tests?

This image in use is ~ 2 years old - half an eternity for a rolling distro. Having a more recent base might be close to reality

Yep, 20220301, which is reasonable IMO. I swapped it out and triggered a run: https://openqa.opensuse.org/tests/2462901#step/tdup/11

Now it fails in two other ways instead :-/

Time to get into the rabbit hole!

libpcre2-8-0 gets updated, which apparently invalidates the semodule cache or something like that. That's the cause of the "regex version mismatch" messages. However, the cache can't be rebuilt for two separate reasons: 1. For some reason, if combustion ran on the first boot, some files in /var/lib/selinux/... get missing (rpm -qV selinux-policy-targeted complains)

That reason for that was a bug in the old transactional-update, which is fixed meanwhile. With t-u selfupdate enabled (the case if either combustion or ignition enable network), this doesn't appear anymore. This is the case in openQA, so we can ignore this.

2. Avoiding combustion, the files are there, but semodule -B fails anyway: Failed to resolve allow statement at /var/lib/selinux/targeted/tmp/modules/200/container/cil:1257 Failed to resolve AST /usr/sbin/semodule: Failed!

This can be reproduced easily by just updating libpcre2-8-0 only and then running semodule -B. Updating policyutils (and libselinux etc.) doesn't help either.

The reason for that is that the policy is invalid until container-selinux is also updated. So we need some dependency to ensure that selinux-policy-targeted is updated (closely) together with container-selinux. Reassigning. That also (eventually) gets rid of the regex version mismatch issues, though the right fix for that is apparently to have libselinux or a similar package install a file trigger for libpcre updates to call semodule -B: https://bugzilla.redhat.com/show_bug.cgi?id=2013642#c7 -- You are receiving this mail because: You are on the CC list for the bug.