PDA

View Full Version : F20 selinux issue breaks updates



leigh123linux
18th January 2014, 09:45 AM
If you have selinux enabled in enforcing mode (default) all future updates will fail unless you run.

https://fedoraproject.org/wiki/Common_F20_bugs#RPM_scriptlets_fail_during_updates




setenforce 0
yum clean expire-cache
yum update selinux-policy\*
setenforce 1link to the selinux issue

https://bugzilla.redhat.com/show_bug.cgi?id=1054350

glennzo
18th January 2014, 09:58 AM
Hmmm. Is that why yum -y update yum failed this morning?

leigh123linux
18th January 2014, 10:04 AM
Hmmm. Is that why yum -y update yum failed this morning?

It has a scriptlet that is run on update so it's likely it failed due to the selinux bug



$ rpm -q --scripts yum
postinstall scriptlet (using /bin/sh):

if [ $1 -eq 1 ] ; then
# Initial installation
/usr/bin/systemctl preset yum-makecache.timer >/dev/null 2>&1 || :
fi
preuninstall scriptlet (using /bin/sh):

if [ $1 -eq 0 ] ; then
# Package removal, not upgrade
/usr/bin/systemctl --no-reload disable yum-makecache.timer > /dev/null 2>&1 || :
/usr/bin/systemctl stop yum-makecache.timer > /dev/null 2>&1 || :
fi
postuninstall scriptlet (using /bin/sh):

/usr/bin/systemctl daemon-reload >/dev/null 2>&1 || :
if [ $1 -ge 1 ] ; then
# Package upgrade, not uninstall
/usr/bin/systemctl try-restart yum-makecache.timer >/dev/null 2>&1 || :
fi

bob
18th January 2014, 01:21 PM
Added as a Forum-Wide Announcement. Also, copied and stuck thread on Using Fedora and copied to News.

Progger
19th January 2014, 12:18 PM
I did:


setenforce 0
yum clean expire-cache
yum update selinux-policy
setenforce 1

with no result. Then I did:


# setenforce 0
# yum clean expire-cache
# yum update selinux-policy
# yum update
# setenforce 1

Problem solved.

Unexperienst users users maybe do not know this. :doh:

sidebrnz
19th January 2014, 11:21 PM
I just did a complete system update on my laptop, running F20 and Xfce. I used yumex and the update completed without incident. Checking, selinux-policy-targeted was updated, and I didn't need to enable updates-testing. It appears that this issue has cleared itself up.

mschwendt
20th January 2014, 12:21 AM
The revised fix should add '\*' for the yum update call, so it really always explicitly asks for an update of all installed selinux-policy* packages:



setenforce 0
yum clean expire-cache
yum update selinux-policy\*
setenforce 1

That also fixes the problem for users, who've tried to apply the selinux-policy update in enforcing mode as pointed out by Kobuck. Full reproducer with comments here: http://forums.fedoraforum.org/showpost.php?p=1685122&postcount=17

@ sidebrnz : If one has installed the bad -116.fc20 selinux-policy packages, one cannot avoid entering SELinux permissive mode prior to updating the newer selinux-policy packages. What has changed meanwhile, however, is that the -117.fc20 fixed packages have appeared in the normal updates repo, so enabling updates-testing is not necessary anymore. Updates-testing contains an even newer selinux-policy update already.

sidebrnz
20th January 2014, 12:53 AM
Yes, I understand that. I was pointing out that AFAICT the update had received enough good karma that it wasn't in testing any more.

trojanwarrior
20th January 2014, 07:58 PM
I have one more issue with the last batch of updates. After updating all the package list the alternative symlinks was messed up. When I tried to launch Azureus it complained about missing /usr/lib/jvm/jre/bin/java was not found. First I thought Azureus had a bug in its script but then I tried launching Eclipse with the same result.
So I made a new symlink in:

/usr/lib/jvm/jre -> /usr/lib/jvm/java-1.7.0-openjdk-1.7.0.60-2.4.4.1.fc20.x86_64/jre/

Now both, azureus and eclipse are launching ok.

mschwendt
20th January 2014, 08:31 PM
That could be one thing where reinstalling the packages (with "yum reinstall ") might have helped. Depending on what updates have been installed after the bad selinux policy package, they may need manual cleanup or a reinstall because of what they do in the scriptlet sections.

trojanwarrior
20th January 2014, 08:42 PM
That could be one thing where reinstalling the packages (with "yum reinstall ") might have helped. Depending on what updates have been installed after the bad selinux policy package, they may need manual cleanup or a reinstall because of what they do in the scriptlet sections.

Well, in that case probably it will be fixed on the next update. I think :)

gilboa
9th February 2014, 07:05 PM
Thank @leigh123linux for this thread.
I was about to give up on two different Fedora 20 installation that almost went FUBAR.
(Took me hours afterwards to fix the broken dependencies / duplicates / etc)

How on earth such a bug managed to slip through the cracks is beyond me... :(

I would consider making this thread sticky. (EDIT: Its already sticky...)

- Gilboa

Driftwould
15th March 2014, 05:07 PM
I am dong a clean install of Fedora 20, will I need to run this script to update a new install or has this been fixed.

Thanks in advance.

mschwendt
15th March 2014, 05:45 PM
The bad package is no longer available, so you won't run into the issue with a new install.