Bugzilla – Bug 1185625
transactional-update: /etc has wrong selinux label
Last modified: 2023-07-04 07:19:40 UTC
The context of /etc is not properly initialized during a transactional-update session. So installing packages that call ldconfig in %post don't work. # l -Zd /etc drwxr-xr-x. 1 root root system_u:object_r:etc_t:s0 86 4. Mai 16:34 /etc/ # transactional-update shell [...] # l -Zd /etc drwxr-xr-x. 1 root root unconfined_u:object_r:unlabeled_t:s0 10 May 4 17:02 /etc/ # ldconfig ldconfig: Warning: ignoring configuration file that cannot be opened: /etc/ld.so.conf: Permission denied ldconfig: Can't create temporary cache file /etc/ld.so.cache.KuqjFz: Permission denied # setfilecon system_u:object_r:etc_t:s0 /etc # ldconfig #
https://github.com/openSUSE/transactional-update/pull/63
*** Bug 1185766 has been marked as a duplicate of this bug. ***
Having download the latest version of MicroOS the reported bug is still present.
Tested MicroOS 0507 and it still contains the reported issue.
If you want you may give https://download.opensuse.org/repositories/home:/lnussel:/tu/openSUSE_Factory/ a try, it contains my suggested fix.
I seem unable to resolve the dependencies when I try to install transactional-update from https://download.opensuse.org/repositories/home:/lnussel:/tu/openSUSE_Factory/ # zypper lr -P # | Alias | Name | Enabled | GPG Check | Refresh | Priority --+-----------------------------+--------------------------------------------------------------------+---------+-----------+---------+--------- 1 | home_lnussel_tu | Branch project for package transactional-update (openSUSE_Factory) | Yes | (r ) Yes | Yes | 80 2 | openSUSE-MicroOS-20210507-0 | openSUSE-MicroOS-20210507-0 | No | ---- | ---- | 99 3 | repo-debug | openSUSE-Tumbleweed-Debug | No | ---- | ---- | 99 4 | repo-non-oss | openSUSE-Tumbleweed-Non-Oss | Yes | (r ) Yes | Yes | 99 5 | repo-oss | openSUSE-Tumbleweed-Oss | Yes | (r ) Yes | Yes | 99 6 | repo-source | openSUSE-Tumbleweed-Source | No | ---- | ---- | 99 7 | repo-update | openSUSE-Tumbleweed-Update | Yes | (r ) Yes | Yes | 99 # zypper refresh --repo 1 Repository 'Branch project for package transactional-update (openSUSE_Factory)' is up to date. Specified repositories have been refreshed. # transactional-update pkg install --repo 1 --force transactional-update Checking for newer version. transactional-update 3.3.0 started Options: pkg install --repo 1 --force transactional-update Separate /var detected. WARNING: You are creating a snapshot from a different base (1) than the current default snapshot (4). If you want to continue a previous snapshot use the --continue option, otherwise the previous changes will be discarded. 2021-05-10 16:41:26 tukit 3.3.0 started 2021-05-10 16:41:26 Options: -c1 open 2021-05-10 16:41:26 Using snapshot 1 as base for new snapshot 5. 2021-05-10 16:41:26 No previous snapshot to sync with - skipping ID: 5 2021-05-10 16:41:26 Transaction completed. Calling zypper install 2021-05-10 16:41:27 tukit 3.3.0 started 2021-05-10 16:41:27 Options: callext 5 zypper -R {} install --repo 1 --force transactional-update 2021-05-10 16:41:27 Executing `zypper -R /tmp/transactional-update-4e0Buo install --repo 1 --force transactional-update`: Loading repository data... Reading installed packages... Forcing installation of 'transactional-update-v3.3.0+git20210507.413301b-6.1.x86_64' from repository 'Branch project for package transactional-update (openSUSE_Factory)'. Resolving package dependencies... Problem: dracut-transactional-update-3.3.0-1.2.noarch conflicts with transactional-update < 3.0.0 provided by transactional-update-v3.3.0+git20210507.413301b-6.1.x86_64 Solution 1: do not install transactional-update-v3.3.0+git20210507.413301b-6.1.x86_64 Choose the above solution using '1' or cancel using 'c' [1/c/d/?] (c): c 2021-05-10 16:41:29 Application returned with exit status 4. ERROR: zypper install on /.snapshots/5/snapshot failed with exit code 4! Removing snapshot #5... 2021-05-10 16:41:29 tukit 3.3.0 started 2021-05-10 16:41:29 Options: abort 5 2021-05-10 16:41:29 Discarding snapshot 5. 2021-05-10 16:41:29 Transaction completed. transactional-update finished
Try "transactional-update -i dup"
Which fails unfortunately due to the issue with transactional-update and selinux: /sbin/ldconfig: Warning: ignoring configuration file that cannot be opened: /etc/ld.so.conf: Permission denied and the proposed fix does not seem to be included in the list of packages: The following 12 packages are going to be upgraded: boost-license1_76_0 ca-certificates libboost_thread1_76_0 libpng16-16 MicroOS-release MicroOS-release-appliance patterns-microos-base patterns-microos-basesystem patterns-microos-base-zypper patterns-microos-defaults patterns-microos-hardware patterns-microos-selinux The following 6 patterns are going to be upgraded: basesystem microos_base microos_base_zypper microos_defaults microos_hardware microos_selinux The following product is going to be upgraded: openSUSE MicroOS 20210507-0 -> 20210508-0
the problem is that the tags in git start with 'v' which ends up older than the real version numbers. So the auto generation via _service doesn't work properly. I've fixed the _service file to not use @PARENT_TAG@
you may want to download the files manually and install them in "transactional-update shell" so you can ignore the errors.
Ignoring the errors resulted for me in an unbootable system. Well, to be fair, zypper did warn about it. Is there a timeline when the proposed fix makes it to a release? 0508 does not have it.
Gave it another try by not using zypper, but rather rpm itself. Did not work unfortunately. transactional update # rpm --install --replacepkgs --replacefiles --force dracut-transactional-update-v3.3.0+git20210507.413301b-6.1.noarch.rpm libtukit0-v3.3.0+git20210507.413301b-6.1.x86_64.rpm transactional-update-debuginfo-v3.3.0+git20210507.413301b-6.1.x86_64.rpm transactional-update-v3.3.0+git20210507.413301b-6.1.x86_64.rpm transactional-update-zypp-config-v3.3.0+git20210507.413301b-6.1.noarch.rpm tukit-v3.3.0+git20210507.413301b-6.1.x86_64.rpm error: Failed dependencies: transactional-update < 3.0.0 conflicts with dracut-transactional-update-v3.3.0+git20210507.413301b-6.1.noarch transactional-update < 2.15 conflicts with (installed) read-only-root-fs-1.0+git20200730.1243fd0-2.2.noarch transactional-update < 3.0.0 conflicts with (installed) tukit-3.3.0-1.2.x86_64 transactional-update < 3.0.0 conflicts with (installed) dracut-transactional-update-3.3.0-1.2.noarch transactional-update < 3.0.0 conflicts with tukit-v3.3.0+git20210507.413301b-6.1.x86_64
OBS decided to not rebuild the package the whole night. it's updated an published now reporting version 3.3.0+git20210507.413301b which is newer than 3.0.0
I can now confirm that the packages from: https://download.opensuse.org/repositories/home:/lnussel:/tu/openSUSE_Factory/ are installable and that after a reboot transactional-update no-longer runs into the '/etc/ld.so.conf: Permission denied' issue anymore.
Executing %posttrans script 'lvm2-2.03.10-8.1.x86_64.rpm' [.. Output of lvm2-2.03.10-8.1.x86_64.rpm %posttrans script: Creating initrd: /boot/initrd-5.12.0-2-default dracut: Executing: /usr/bin/dracut --logfile /var/log/YaST2/mkinitrd.log --force /boot/initrd-5.12.0-2-default 5.12.0-2-default ... dracut: root=UUID=d9341b6b-bc5c-4c90-8050-2cdbb1bfb627 rootfstype=btrfs rootflags=rw,relatime,seclabel,ssd,space_cache,subvolid=273,subvol=/@/.snapshots/5/snapshot,subvol=@/.snapshots/5/snapshot ldconfig: Warning: ignoring configuration file that cannot be opened: /etc/ld.so.conf: Permission denied ldconfig: Can't create temporary cache file /var/tmp/dracut.8jlBgJ/initramfs/etc/ld.so.cache.tV8tvC: Permission denied transactional-update ends with: 2021-05-11 11:53:46 Application returned with exit status 0. 2021-05-11 11:53:46 Transaction completed. Trying to rebuild kdump initrd 2021-05-11 11:53:46 tukit 3.3.0 started 2021-05-11 11:53:46 Options: call 5 /usr/sbin/tu-rebuild-kdump-initrd 2021-05-11 11:53:46 Executing `/usr/sbin/tu-rebuild-kdump-initrd`: 2021-05-11 11:53:46 Application returned with exit status 0. 2021-05-11 11:53:46 Transaction completed. 2021-05-11 11:53:46 tukit 3.3.0 started 2021-05-11 11:53:46 Options: close 5 2021-05-11 11:53:47 New default snapshot is #5 (/.snapshots/5/snapshot). 2021-05-11 11:53:47 Transaction completed. So, all appears to be well except for the warning messages.
Is there an update on this bug? The patch that should fix this issue is open to review for 12 days now.
After installing the latest MicroOS version: test-vm:~ # head -2 /etc/os-release NAME="openSUSE MicroOS" # VERSION="20210524" transactional-update is still failing to install packages, or perform an automated update of the system. Do I need to worry about security? This is because no updates are possible without the selinux fix. The reason why I am worried is that although MicroOS tries to be minimalistic about the packages that are installed, one does need to update any system from time to time to fix security iddues. Currently transactional-update does not work with selinux enabled. There does seem to be a fix, but has yet to be reviewed and applied. It seems that that takes quite a bit of time in the context of security and that does worry me. Is there an estimate when transactional-update fixes the selinux bug? PS: I am personally not affected by the failure of transactional-update as I am running the patched version. I still think this is important to fix. If it is not important, let me know and I'll shut up.
This is an autogenerated message for OBS integration: This bug (1185625) was mentioned in https://build.opensuse.org/request/show/899839 Factory / transactional-update
*** Bug 1186842 has been marked as a duplicate of this bug. ***
*** Bug 1186775 has been marked as a duplicate of this bug. ***
This problem has been fixed with transational-update 3.4.0 by applying Ludwig's patch (the first one of the linked GitHub pull request). I'm sorry for the long delay until the fix was actually released - I've been hunting down several more SELinux problems, this was just one of them (https://build.opensuse.org/request/show/900527 is another important one).
*** Bug 1186023 has been marked as a duplicate of this bug. ***
I can confirm that transactional-update works again as expected. Thanks for fixing it.
One minor issue though. If transactional-update has been updated to version 3.4.0, then that is not what is displayed on the command line: # transactional-update --version transactional-update 3.3.0
Oh dear, I had tagged the wrong commit in git. Will release a minor version soon to correct the version number...
SUSE-RU-2021:2192-1: An update that has 15 recommended fixes can now be installed. Category: recommended (important) Bug References: 1173842,1177149,1182525,1182544,1183442,1183521,1183539,1183856,1184529,1185224,1185226,1185625,1185766,1186775,1186842 CVE References: JIRA References: Sources used: SUSE MicroOS 5.0 (src): transactional-update-3.4.0-3.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-RU-2022:0487-1: An update that has 27 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1133891,1149131,1177149,1183521,1183539,1183856,1184529,1185224,1185226,1185625,1185766,1186213,1186775,1186842,1188110,1188322,1188648,1189728,1189807,1190383,1190574,1190788,1191475,1191945,1192078,1192242,1192302 CVE References: JIRA References: Sources used: SUSE Linux Enterprise Module for Transactional Server 15-SP3 (src): transactional-update-3.6.2-150300.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-RU-2022:0487-1: An update that has 27 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 1133891,1149131,1177149,1183521,1183539,1183856,1184529,1185224,1185226,1185625,1185766,1186213,1186775,1186842,1188110,1188322,1188648,1189728,1189807,1190383,1190574,1190788,1191475,1191945,1192078,1192242,1192302 CVE References: JIRA References: Sources used: openSUSE Leap 15.3 (src): transactional-update-3.6.2-150300.3.3.1