Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-127438

[rpm-ostree]reslinux policy didn't reload when using rpm-ostree install -A

Linking RHIVOS CVEs to...Migration: Automation ...RHELPRIO AssignedTeam ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1, rhel-9.7, rhel-10.2
    • rpm-ostree
    • None
    • None
    • None
    • rhel-image-mode
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • x86_64
    • None

      What were you trying to do that didn't work?

      Original issue: https://issues.redhat.com/browse/FDP-1242

      star openvswitch service failed after install openvswitch and openvswitch-selinux-policy 

      What is the impact of this issue to you?

      openvswitch-selinux-policy didn't automatically load after run rpm-ostree install -A

      Please provide the package NVR for which the bug is seen:

      rpm-ostree-2025.12-1.el10.x86_64

      How reproducible is this bug?: 100%

      Steps to reproduce

      [root@dell-per760-10 ~]# rpm-ostree install -Ay https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/openvswitch3.5/3.5.2/45.el10fdp/x86_64/openvswitch3.5-3.5.2-45.el10fdp.x86_64.rpm https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/openvswitch-selinux-extra-policy/1.0/39.el10fdp/noarch/openvswitch-selinux-extra-policy-1.0-39.el10fdp.noarch.rpm
      Downloading https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/openvswitch3.5/3.5.2/45.el10fdp/x86_64/openvswitch3.5-3.5.2-45.el10fdp.x86_64.rpm...done
      Downloading https://download-01.beak-001.prod.iad2.dc.redhat.com/brewroot/vol/rhel-10/packages/openvswitch-selinux-extra-policy/1.0/39.el10fdp/noarch/openvswitch-selinux-extra-policy-1.0-39.el10fdp.noarch.rpm...done
      Checking out tree aaada3f... done
      Enabled rpm-md repositories: beaker-AppStream-debuginfo beaker-AppStream beaker-BaseOS-debuginfo beaker-BaseOS beaker-CRB-debuginfo beaker-CRB beaker-HighAvailability-debuginfo beaker-HighAvailability beaker-NFV-debuginfo beaker-NFV beaker-RT-debuginfo beaker-RT beaker-SAP-debuginfo beaker-SAP beaker-SAPHANA-debuginfo beaker-SAPHANA beaker-buildroot beaker-harness beaker-tasks epel
      Importing rpm-md... done
      rpm-md repo 'beaker-AppStream-debuginfo' (cached); generated: 2025-10-29T15:59:42Z solvables: 2553
      rpm-md repo 'beaker-AppStream' (cached); generated: 2025-10-29T15:59:43Z solvables: 4514
      rpm-md repo 'beaker-BaseOS-debuginfo' (cached); generated: 2025-10-29T16:00:01Z solvables: 914
      rpm-md repo 'beaker-BaseOS' (cached); generated: 2025-10-29T16:00:01Z solvables: 946
      rpm-md repo 'beaker-CRB-debuginfo' (cached); generated: 2025-10-29T16:00:17Z solvables: 295
      rpm-md repo 'beaker-CRB' (cached); generated: 2025-10-29T16:00:18Z solvables: 1238
      rpm-md repo 'beaker-HighAvailability-debuginfo' (cached); generated: 2025-10-29T16:00:28Z solvables: 23
      rpm-md repo 'beaker-HighAvailability' (cached); generated: 2025-10-29T16:00:28Z solvables: 38
      rpm-md repo 'beaker-NFV-debuginfo' (cached); generated: 2025-10-29T16:00:32Z solvables: 2
      rpm-md repo 'beaker-NFV' (cached); generated: 2025-10-29T16:00:31Z solvables: 19
      rpm-md repo 'beaker-RT-debuginfo' (cached); generated: 2025-10-29T16:00:41Z solvables: 2
      rpm-md repo 'beaker-RT' (cached); generated: 2025-10-29T16:00:42Z solvables: 16
      rpm-md repo 'beaker-SAP-debuginfo' (cached); generated: 2025-10-29T16:00:50Z solvables: 3
      rpm-md repo 'beaker-SAP' (cached); generated: 2025-10-29T16:00:50Z solvables: 5
      rpm-md repo 'beaker-SAPHANA-debuginfo' (cached); generated: 2025-10-29T16:00:57Z solvables: 3
      rpm-md repo 'beaker-SAPHANA' (cached); generated: 2025-10-29T16:00:56Z solvables: 7
      rpm-md repo 'beaker-buildroot' (cached); generated: 2025-10-17T05:57:41Z solvables: 1176
      rpm-md repo 'beaker-harness' (cached); generated: 2025-10-10T14:57:36Z solvables: 180
      rpm-md repo 'beaker-tasks' (cached); generated: 2025-10-29T07:42:33Z solvables: 24622
      rpm-md repo 'epel' (cached); generated: 2025-10-31T00:32:02Z solvables: 24985
      Resolving dependencies... done
      Will download: 3 packages (1.1 MB)
      Downloading from 'beaker-BaseOS'... done
      Downloading from 'beaker-AppStream'... done
      Importing packages... done
      Checking out packages... done
      Running pre scripts... done
      Running post scripts... done
      Running posttrans scripts... done
      Writing rpmdb... done
      Writing OSTree commit... done
      Staging deployment... done
      error: Previously interrupted while targeting commit 7a1cce1782728d2514d80352d497907450bd11ccde9f592c6c24f7e24d30c203, cannot change target to 3c5e86df2edb704ea33cdda3fe9f38dfc5b15cb4fdc364be7b217a1996784578

      [root@dell-per760-10 ~]# rpm-ostree status
      State: idle
      Deployments:
        ostree-unverified-image:containers-storage:localhost/bootc:beaker
                         Digest: sha256:b2c627e7241252bfbc2b8d37a2013f72099f4542c73ded332fa02b38234263ae
                        Version: RHEL-10.1-updates-20251029.0-x86_64 (2025-10-31T02:25:58Z)
                           Diff: 14 added
                LayeredPackages: MTA
                  LocalPackages: openvswitch-selinux-extra-policy-1.0-39.el10fdp.noarch openvswitch3.5-3.5.2-45.el10fdp.x86_64● ostree-unverified-image:containers-storage:localhost/bootc:beaker
                         Digest: sha256:b2c627e7241252bfbc2b8d37a2013f72099f4542c73ded332fa02b38234263ae
                        Version: RHEL-10.1-updates-20251029.0-x86_64 (2025-10-31T02:25:58Z)
          InterruptedLiveCommit: 7a1cce1782728d2514d80352d497907450bd11ccde9f592c6c24f7e24d30c203
                       Unlocked: transient
       
      Expected results

      reference:

      https://coreos.github.io/rpm-ostree/architecture-core/#selinux

      This means that on an OSTree based system, the labels for the files in the booted deployment (e.g. in /usr) are always correct and set atomically - there’s no need to relabel.

      https://coreos.github.io/rpm-ostree/apply-live/

      Actual results

      Quoting the latest comments on FDP-1242

      After a detailed analysis, it appears that the issue occurs because SELinux is disabled during the rpm-ostree install -A operation, or more precisely, because the installation runs inside a chroot/container environment where SELinux is not exposed. As a result, the openvswitch-selinux-extra-policy policies are not applied until after a system reboot.

      Example:

      [root@wsfd-netdev91 ~]# ls -lZ /usr/share/openvswitch/scripts/ovs-kmod-ctl
-rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 6099 Nov 10 21:34 /usr/share/openvswitch/scripts/ovs-kmod-ctl
[root@wsfd-netdev91 ~]#

      Currently, the issue can be worked around by manually running load_policy after executing the rpm-ostree install -A command. However, it’s not straightforward to perform this step automatically from within the RPM, due to the containerized environment in which the installation runs.

      If everyone agrees, I propose closing this bug and opening a new one against the rpm-ostree package to track this peculiar behavior.

              rhn-support-jmarrero Joseph Marrero Corchado
              mhou@redhat.com HOU MINXI
              Joseph Marrero Corchado Joseph Marrero Corchado
              Xiaofeng Wang Xiaofeng Wang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: