Loading...

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: rhel-10.2
Affects Version/s: rhel-10.1
Component/s: selinux-policy
Labels:

Regression:
Yes
Severity:
Low
Epic Link:
SELINUX-4342
sprint_count:
1

AssignedTeam:
rhel-security-selinux

Story Points:
2
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
No
Sprint:
SELINUX 260218: 18

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Unspecified Release Note Type - Unknown
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

What were you trying to do that didn't work?
=======================

Issue happen when upgrading from selinux-policy-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10 to selinux-policy-42.1.7-1.el10 selinux-policy-targeted-42.1.7-1.el10 when usbguard and usbguard-selinux is installed on system.

Issue does not happen when downgrading from selinux-policy-42.1.7-1.el10 selinux-policy-targeted-42.1.7-1.el10 to selinux-policy-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10

What is the impact of this issue to you?
=======================
Selinux relabeling is unsuccessful, and after rebooting, the root filesystem is mounted as a read-only filesystem.

Please provide the package NVR for which the bug is seen:
=======================
selinux-policy-42.1.7-1.el10.noarch
selinux-policy-targeted-42.1.7-1.el10.noarch
usbguard-1.1.3-6.el10.x86_64
usbguard-selinux-1.1.3-6.el10.noarch

How reproducible is this bug?:
=======================
Everytime

Steps to reproduce
=======================

1] Remove usbguard-selinux package :

# dnf remove usbguard-selinux
# ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard
-rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon
drwx------. 2 root root system_u:object_r:unlabeled_t:s0      6 Feb  6  2025 /var/log/usbguard

2] Downgrade selinux package :

# dnf downgrade selinux-policy-40.13.26-1.el10 selinux-policy-devel-40.13.26-1.el10 selinux-policy-doc-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10
# dnf reinstall selinux-policy-40.13.26-1.el10 selinux-policy-devel-40.13.26-1.el10 selinux-policy-doc-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10
# ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0     208376 Feb  6  2025 /usr/sbin/usbguard-daemon
drwx------. 2 root root system_u:object_r:var_log_t:s0      6 Feb  6  2025 /var/log/usbguard
#

3] Install usbguard-selinux package :

#

 dnf install usbguard-selinux-1.1.3-6.el10
# ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard
-rwxr-xr-x. 1 root root system_u:object_r:usbguard_exec_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon
drwx------. 2 root root system_u:object_r:usbguard_log_t:s0       6 Feb  6  2025 /var/log/usbguard
#

4] Upgrade selinux package and observe selinux-policy-targeted fail with POSTTRANS scriptlet returned a non-zero exit code while relabelling paths.

# dnf upgrade selinux-policy-42.1.7-1.el10 selinux-policy-devel-42.1.7-1.el10 selinux-policy-doc-42.1.7-1.el10 selinux-policy-targeted-42.1.7-1.el10
Updating Subscription Management repositories.
Last metadata expiration check: 0:48:24 ago on Fri 16 Jan 2026 09:58:05 AM IST.
Dependencies resolved.
==================================================================================================================================================
 Package                                Architecture          Version                      Repository                                        Size
==================================================================================================================================================
Upgrading:
 selinux-policy                         noarch                42.1.7-1.el10                rhel-10-for-x86_64-baseos-rpms                    50 k
 selinux-policy-devel                   noarch                42.1.7-1.el10                rhel-10-for-x86_64-appstream-rpms                1.5 M
 selinux-policy-doc                     noarch                42.1.7-1.el10                rhel-10-for-x86_64-baseos-rpms                   2.6 M
 selinux-policy-targeted                noarch                42.1.7-1.el10                rhel-10-for-x86_64-baseos-rpms                   6.2 M
Transaction Summary
==================================================================================================================================================
Upgrade  4 Packages
Total download size: 10 M
Is this ok [y/N]: y
Downloading Packages:
(1/4): selinux-policy-42.1.7-1.el10.noarch.rpm                                                                     82 kB/s |  50 kB     00:00    
(2/4): selinux-policy-devel-42.1.7-1.el10.noarch.rpm                                                              1.6 MB/s | 1.5 MB     00:00    
(3/4): selinux-policy-doc-42.1.7-1.el10.noarch.rpm                                                                2.0 MB/s | 2.6 MB     00:01    
(4/4): selinux-policy-targeted-42.1.7-1.el10.noarch.rpm                                                           3.6 MB/s | 6.2 MB     00:01    
--------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                             4.4 MB/s |  10 MB     00:02     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch                                                                             1/1 
  Preparing        :                                                                                                                          1/1 
  Running scriptlet: selinux-policy-42.1.7-1.el10.noarch                                                                                      1/8 
  Upgrading        : selinux-policy-42.1.7-1.el10.noarch                                                                                      1/8 
  Running scriptlet: selinux-policy-42.1.7-1.el10.noarch                                                                                      1/8 
  Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch                                                                             2/8 
  Upgrading        : selinux-policy-targeted-42.1.7-1.el10.noarch                                                                             2/8 
  Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch                                                                             2/8 
  Upgrading        : selinux-policy-devel-42.1.7-1.el10.noarch                                                                                3/8 
  Running scriptlet: selinux-policy-devel-42.1.7-1.el10.noarch                                                                                3/8 
  Upgrading        : selinux-policy-doc-42.1.7-1.el10.noarch                                                                                  4/8 
  Cleanup          : selinux-policy-doc-40.13.26-1.el10.noarch                                                                                5/8 
  Cleanup          : selinux-policy-devel-40.13.26-1.el10.noarch                                                                              6/8 
  Running scriptlet: selinux-policy-40.13.26-1.el10.noarch                                                                                    7/8 
  Cleanup          : selinux-policy-40.13.26-1.el10.noarch                                                                                    7/8 
  Running scriptlet: selinux-policy-40.13.26-1.el10.noarch                                                                                    7/8 
  Cleanup          : selinux-policy-targeted-40.13.26-1.el10.noarch                                                                           8/8 
  Running scriptlet: selinux-policy-targeted-40.13.26-1.el10.noarch                                                                           8/8 
  Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch                                                                             8/8 
/usr/sbin/restorecon: Could not set context for /usr/bin/conmon:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/podman:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/osbuild:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/buildah:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/docker:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/crun:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/bin/swtpm:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/nbdkit:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon:  Invalid argument
/usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon:  Invalid argument
warning: %posttrans(selinux-policy-targeted-42.1.7-1.el10.noarch) scriptlet failed, exit status 255
Error in POSTTRANS scriptlet in rpm package selinux-policy-targeted
  Running scriptlet: selinux-policy-targeted-40.13.26-1.el10.noarch                                                                           8/8 
Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/inactive.issue: Invalid argument
Unable to fix SELinux security context of /run/cockpit/inactive.issue: Invalid argument
Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/active.issue: Invalid argument
Unable to fix SELinux security context of /run/cockpit/active.issue: Invalid argument
Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/issue: Invalid argument
Unable to fix SELinux security context of /run/cockpit/issue: Invalid argument
Failed to set SELinux security context system_u:object_r:usbguard_log_t:s0 for /var/log/usbguard: Invalid argument
Unable to fix SELinux security context of /var/log/usbguard: Invalid argument
Installed products updated.
Upgraded:
  selinux-policy-42.1.7-1.el10.noarch                selinux-policy-devel-42.1.7-1.el10.noarch       selinux-policy-doc-42.1.7-1.el10.noarch      
  selinux-policy-targeted-42.1.7-1.el10.noarch      
Complete!
# 
# ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard
-rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon
drwx------. 2 root root system_u:object_r:unlabeled_t:s0      6 Feb  6  2025 /var/log/usbguard

#

5] After rebooting, the root filesystem is mounted as a read-only filesystem.

# uptime
 10:48:51 up 1 min,  2 users,  load average: 0.03, 0.01, 0.00
# 
# ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard
-rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon
drwx------. 2 root root system_u:object_r:unlabeled_t:s0      6 Feb  6  2025 /var/log/usbguard
# mount
/dev/mapper/rhel-root on / type xfs (ro,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)

Workaround :
==============

mount root filesystem in rw or boot the system with selinux=0
Reinstall selinux-policy-targeted-42.1.7-1.el10
Reboot the system .

Expected results:
==============

Upgrade should happed without issue.

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates