F20 selinux issue breaks updates
FedoraForum.org - Fedora Support Forums and Community
Page 1 of 2 1 2 LastLast
Results 1 to 15 of 22
  1. #1
    leigh123linux Guest

    F20 selinux issue breaks updates

    If you have selinux enabled in enforcing mode (default) all future updates will fail unless you run.

    https://fedoraproject.org/wiki/Commo...during_updates

    Code:
    setenforce 0
    yum clean expire-cache
    yum update selinux-policy\*
    setenforce 1
    link to the selinux issue

    https://bugzilla.redhat.com/show_bug.cgi?id=1054350
    Last edited by leigh123linux; 22nd January 2014 at 10:52 PM. Reason: add link to Common_F20_bugs

  2. #2
    Join Date
    Mar 2004
    Location
    In your closet
    Posts
    16,020
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Hmmm. Is that why yum -y update yum failed this morning?
    Glenn
    The Bassinator

  3. #3
    leigh123linux Guest

    Re: F20 selinux issue breaks updates

    Quote Originally Posted by glennzo
    Hmmm. Is that why yum -y update yum failed this morning?
    It has a scriptlet that is run on update so it's likely it failed due to the selinux bug


    Code:
    $ rpm -q --scripts yum
    postinstall scriptlet (using /bin/sh):
    
    if [ $1 -eq 1 ] ; then 
            # Initial installation 
            /usr/bin/systemctl preset yum-makecache.timer >/dev/null 2>&1 || : 
    fi
    preuninstall scriptlet (using /bin/sh):
    
    if [ $1 -eq 0 ] ; then 
            # Package removal, not upgrade 
            /usr/bin/systemctl --no-reload disable yum-makecache.timer > /dev/null 2>&1 || : 
            /usr/bin/systemctl stop yum-makecache.timer > /dev/null 2>&1 || : 
    fi
    postuninstall scriptlet (using /bin/sh):
    
    /usr/bin/systemctl daemon-reload >/dev/null 2>&1 || : 
    if [ $1 -ge 1 ] ; then 
            # Package upgrade, not uninstall 
            /usr/bin/systemctl try-restart yum-makecache.timer >/dev/null 2>&1 || : 
    fi

  4. #4
    Join Date
    Jul 2004
    Location
    Colton, NY; Junction of Heaven & Earth (also Routes 56 & 68).
    Age
    76
    Posts
    24,280
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Added as a Forum-Wide Announcement.
    Linux & Beer - That TOTALLY Computes!
    Registered Linux User #362651


    Don't use any of my solutions on working computers or near small children.

  5. #5
    Join Date
    Feb 2009
    Location
    Florida
    Posts
    1,052
    Mentioned
    22 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Need to use:

    Code:
    setenforce 0
    yum --enablerepo=updates-testing update selinux-policy-targeted
    setenforce 1
    Laptop: Toshiba / Intel B960 2.20Ghz x2/ 4GB/ 320GB HD/ Intel HD 2000/ fc34.x86_64
    Tower:GigaByte x570 / Ryzen 3800x 3.9Ghz x8/ 32GB/ 9TB HD/ Radeon RX 580/ fc34.x86_64
    Server:GigaByte B450M / Ryzen 3200G 3.7Ghz x4/ 16GB/ 24.5TB HD/ Vega 8 / fc33.x86_64
    Embedded: ASUS Tinkerboard / ARM RK3288 1.8 GHz x4/ 2GB / 32GB SD/ Mali-T764/ deb10.armhf

  6. #6
    leigh123linux Guest

    Re: F20 selinux issue breaks updates

    Quote Originally Posted by Kobuck
    Need to use:

    Code:
    setenforce 0
    yum --enablerepo=updates-testing update selinux-policy-targeted
    setenforce 1

    No you don't!

    Code:
    ]# yum --enablerepo=updates-testing update selinux-policy
    Loaded plugins: langpacks, merge-conf, refresh-packagekit, remove-with-leaves
    Resolving Dependencies
    --> Running transaction check
    ---> Package selinux-policy.noarch 0:3.12.1-116.fc20 will be updated
    --> Processing Dependency: selinux-policy = 3.12.1-116.fc20 for package: selinux-policy-targeted-3.12.1-116.fc20.noarch
    --> Processing Dependency: selinux-policy = 3.12.1-116.fc20 for package: selinux-policy-targeted-3.12.1-116.fc20.noarch
    ---> Package selinux-policy.noarch 0:3.12.1-117.fc20 will be an update
    --> Running transaction check
    ---> Package selinux-policy-targeted.noarch 0:3.12.1-116.fc20 will be updated
    ---> Package selinux-policy-targeted.noarch 0:3.12.1-117.fc20 will be an update
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ========================================================================================================================================================
     Package                                       Arch                         Version                                 Repository                     Size
    ========================================================================================================================================================
    Updating:
     selinux-policy                                noarch                       3.12.1-117.fc20                         updates                       316 k
    Updating for dependencies:
     selinux-policy-targeted                       noarch                       3.12.1-117.fc20                         updates                       3.6 M
    
    Transaction Summary
    ========================================================================================================================================================
    Upgrade  1 Package (+1 Dependent package)

  7. #7
    Join Date
    Feb 2009
    Location
    Florida
    Posts
    1,052
    Mentioned
    22 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Sorry I hope I'm not confusing things but I got:

    Code:
    # yum --enablerepo=updates-testing update selinux-policy
    Loaded plugins: langpacks, refresh-packagekit
    No packages marked for update
    Attempting a full update still got the errors. The direct update of the selinux-policy-targeted fixed the problem.

    reference comment #13:
    https://bugzilla.redhat.com/show_bug.cgi?id=1054350
    Last edited by Kobuck; 18th January 2014 at 02:41 PM. Reason: wrong comment #
    Laptop: Toshiba / Intel B960 2.20Ghz x2/ 4GB/ 320GB HD/ Intel HD 2000/ fc34.x86_64
    Tower:GigaByte x570 / Ryzen 3800x 3.9Ghz x8/ 32GB/ 9TB HD/ Radeon RX 580/ fc34.x86_64
    Server:GigaByte B450M / Ryzen 3200G 3.7Ghz x4/ 16GB/ 24.5TB HD/ Vega 8 / fc33.x86_64
    Embedded: ASUS Tinkerboard / ARM RK3288 1.8 GHz x4/ 2GB / 32GB SD/ Mali-T764/ deb10.armhf

  8. #8
    Join Date
    Nov 2009
    Location
    England
    Age
    58
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Ok noob question but should I just set SELinux to permissive until further notice?

  9. #9
    leigh123linux Guest

    Re: F20 selinux issue breaks updates

    Quote Originally Posted by Riff Gaffer
    Ok noob question but should I just set SELinux to permissive until further notice?
    TBH selinux is a personal preference and I don't want to inflict any opinion as such.

    but here's my thinking on the matter

    Selinux enforcing mode keeps the tin hat brigade happy, permissive mode is good for everyday use.
    For me personally I mostly keep it disabled on most installs expect the install I use for banking (no oracle java or flash).

  10. #10
    mschwendt Guest

    Re: F20 selinux issue breaks updates

    # rpm -qR selinux-policy-targeted|grep ^sel
    selinux-policy = 3.12.1-117.fc20
    selinux-policy = 3.12.1-117.fc20

    The package selinux-policy-targeted package strictly depends on package selinux-policy, so specifying "yum update selinux-policy " is sufficient and will pull in the corresponding selinux-policy-targeted package in order to not break the dependency.
    IOW, you cannot update only "selinux-policy" without replacing also "selinux-policy-targeted".

    Quote Originally Posted by Riff Gaffer
    Ok noob question but should I just set SELinux to permissive until further notice?
    You're free to decide yourself, but setting it to permissive mode temporarily is strictly necessary if you want to update the policy package.

  11. #11
    Join Date
    Nov 2009
    Location
    England
    Age
    58
    Posts
    93
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Thanks chaps

    I guess SELinux is a very emotive subject for many in the community still. Is this a bad thing for Fedora? It seems like a big QA burp if nothing else?

  12. #12
    Join Date
    Mar 2013
    Location
    Washington Island, Wisconsin, thru Death's Door
    Age
    72
    Posts
    226
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    I update each afternoon, after I'm done doing for the day, as I did today. I saw SELinux updates and no errors reported this afternoon - before seeing this caution. Might the fix be already made, or what error indication did I miss?

  13. #13
    mschwendt Guest

    Re: F20 selinux issue breaks updates

    Quote Originally Posted by Riff Gaffer
    I guess SELinux is a very emotive subject for many in the community still.
    You may need to expand on that before it becomes clear what you have in mind.

    Is this a bad thing for Fedora?
    SELinux? No.

    A bad update? Of course!

    It's a worst-case scenario for an update, if it prevents subsequent updates from installing properly and may require additional cleanup after applying a fix.

    Everything has been in place to avoid an update accident like that, but a combination of impatient packagers and testers can circumvent the testing process and declare a Test Update as stable too quickly. The first +1 vote in the Fedora Updates System was 22 hours before the update entered the updates-testing repo. By the time some testers were noticing the first scriptlet return code errors, the Test Update had been pushed into the updates repo already after just 21 hours in the updates-testing repo:
    https://admin.fedoraproject.org/upda....12.1-116.fc20

    It seems like a big QA burp if nothing else?
    You may need to expand on that before it becomes clear what you have in mind.

    Quote Originally Posted by DougHuffman
    I update each afternoon, after I'm done doing for the day, as I did today. I saw SELinux updates and no errors reported this afternoon - before seeing this caution. Might the fix be already made, or what error indication did I miss?
    Difficult to comment on. How do you update? With Yum or graphical tools? If with Yum, could examine your yum.log. You would only be affected, if you had the previous selinux-policy-3.12.1-116.fc20 update installed and SELinux in enforcing mode. Then you could not update to -117.fc20 without the manual work-around described in this thread.

  14. #14
    Join Date
    Nov 2010
    Posts
    256
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Re: F20 selinux issue breaks updates

    Hello, I get this when updating:

    Failed:
    firewalld.noarch 0:0.3.9-1.fc20 initscripts.x86_64 0:9.50-1.fc20 initscripts.x86_64 0:9.51-1.fc20 selinux-policy-targeted.noarch 0:3.12.1-116.fc20
    selinux-policy-targeted.noarch 0:3.12.1-117.fc20 yum.noarch 0:3.4.3-129.fc20

  15. #15
    mschwendt Guest

    Re: F20 selinux issue breaks updates

    Follow these instructions:

    https://fedoraproject.org/wiki/Commo...during_updates

    Post full console output if you run into any problems.

Page 1 of 2 1 2 LastLast

Similar Threads

  1. Replies: 2
    Last Post: 20th January 2014, 09:52 PM
  2. network-scripts "BOOTPROTO=none" breaks F19 -> F20
    By wsanders in forum Using Fedora
    Replies: 1
    Last Post: 22nd December 2013, 06:59 PM
  3. How to receive updates in F20
    By dswhite85 in forum Installation, Upgrades and Live Media
    Replies: 4
    Last Post: 19th December 2013, 07:33 PM
  4. Satyr breaks updates
    By LinuxNerd in forum Using Fedora
    Replies: 4
    Last Post: 4th August 2013, 02:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •