Kurztipp: transactional-update und fehlerhafte post-scripts
Ich habe kürzlich eine openSUSE Leap Micro 6.1-Maschine auf der Uyuni 2025.05 ausgeführt aktualisiert bevor ich ein Upgrade auf Uyuni 2025.07 durchgeführt habe:
1# transactional-update
2# reboot
Nachdem ich (wie von der Uyuni-Dokumentation empfohlen) transactional-update ausgeführt und das System neugestartet habe, konnte Uyuni nicht mehr gestartet werden:
1# mgradm start
24:36PM INF Welcome to mgradm
34:36PM INF Executing command: start
4Error: failed to start systemd uyuni-db.service: exit status 1; failed to start systemd uyuni-server.service: exit status 1
5
6# podman ps
7CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
Ich habe herausgefunden, dass Podman nicht mehr in der Lage war die Container zu starten:
1# journalctl -xeu uyuni-server.service
2Aug 12 16:36:59 uyuni-server.uyuni.local systemd[1]: Failed to start Uyuni database container service.
3░░ Subject: A start job for unit uyuni-db.service has failed
4░░ Defined-By: systemd
5░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
6░░
7░░ A start job for unit uyuni-db.service has finished with a failure.
8░░
9░░ The job identifier is 3028 and the job result is failed.
10Aug 12 16:36:59 uyuni-server.uyuni.local systemd[1]: uyuni-db.service: Scheduled restart job, restart counter is at 5.
11░░ Subject: Automatic restarting of a unit has been scheduled
12░░ Defined-By: systemd
13░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
14░░
15░░ Automatic restarting of the unit uyuni-db.service has been scheduled, as the result for
16░░ the configured Restart= setting for the unit.
17Aug 12 16:36:59 uyuni-server.uyuni.local systemd[1]: uyuni-db.service: Start request repeated too quickly.
18Aug 12 16:36:59 uyuni-server.uyuni.local systemd[1]: uyuni-db.service: Failed with result 'exit-code'.
SELinux protokollierte zahlreiche unterbundene Zugriffe:
1# audit2why -i /var/log/audit/audit.log
2...
3type=AVC msg=audit(1755009419.629:188): avc: denied { execute } for pid=1627 comm="(podman)" name="podman" dev="sda3" ino=154908 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:container_runtime_exec_t:s0"
4
5 Was caused by:
6 Missing type enforcement (TE) allow rule.
7
8 You can use audit2allow to generate a loadable module to allow this access.
9...
1# sealert -l 00f14f0d-9d3b-45ea-88b0-588a07ae8aae
2SELinux is preventing (podman) from execute access on the file podman.
3
4***** Plugin file (65.7 confidence) suggests ******************************
5
6If you think this is caused by a badly mislabeled machine.
7Then you need to fully relabel.
8Do
9touch /.autorelabel; reboot
10
11***** Plugin file (65.7 confidence) suggests ******************************
12
13If you think this is caused by a badly mislabeled machine.
14Then you need to fully relabel.
15Do
16touch /.autorelabel; reboot
17
18***** Plugin catchall_labels (11.3 confidence) suggests *******************
19
20If you want to allow (podman) to have execute access on the podman file
21Then you need to change the label on podman
22Do
23# semanage fcontext -a -t FILE_TYPE 'podman'
24where FILE_TYPE is one of the following: NetworkManager_dispatcher_exec_t, NetworkManager_exec_t, NetworkManager_initrc_exec_t, NetworkManager_priv_helper_exec_t, abrt_dump_oops_exec_t, abrt_exec_t, abrt_helper_exec_t, abrt_initrc_exec_t, abrt_upload_watch_exec_t, abrt_watch_log_exec_t, accountsd_exec_t, acct_exec_t, acct_initrc_exec_t, afs_bosserver_exec_t, afs_exec_t, afs_initrc_exec_t, afterburn_exec_t, aiccu_exec_t, aiccu_initrc_exec_t, aide_exec_t, ajaxterm_exec_t, ajaxterm_initrc_exec_t, alsa_exec_t, alts_exec_t, amanda_inetd_exec_t, amtu_exec_t, amtu_initrc_exec_t, anaconda_generator_exec_t, anacron_exec_t, antivirus_exec_t, antivirus_initrc_exec_t, apcupsd_exec_t, apcupsd_initrc_exec_t, apmd_exec_t, apmd_initrc_exec_t, arpwatch_exec_t, arpwatch_initrc_exec_t, asterisk_exec_t, asterisk_initrc_exec_t, audisp_exec_t, auditctl_exec_t, auditd_exec_t, auditd_initrc_exec_t, automount_exec_t, automount_initrc_exec_t, avahi_exec_t, avahi_initrc_exec_t, bacula_exec_t, bacula_initrc_exec_t, bcfg2_exec_t, bcfg2_initrc_exec_t, bin_t, bitlbee_exec_t, bitlbee_initrc_exec_t, blkmapd_exec_t, blkmapd_initrc_exec_t, blueman_exec_t, bluetooth_exec_t, bluetooth_initrc_exec_t, boinc_exec_t, boinc_initrc_exec_t, boltd_exec_t, boot_t, boothd_exec_t, bootloader_exec_t, bootupd_exec_t, brctl_exec_t, brltty_exec_t, bumblebee_exec_t, cachefilesd_exec_t, callweaver_exec_t, callweaver_initrc_exec_t, canna_exec_t, canna_initrc_exec_t, cardmgr_exec_t, ccs_exec_t, ccs_initrc_exec_t, certmaster_exec_t, certmaster_initrc_exec_t, certmonger_exec_t, certmonger_initrc_exec_t, cfengine_execd_exec_t, cfengine_initrc_exec_t, cfengine_monitord_exec_t, cfengine_serverd_exec_t, cgclear_exec_t, cgconfig_exec_t, cgconfig_initrc_exec_t, cgred_exec_t, cgred_initrc_exec_t, checkpc_exec_t, chkpwd_exec_t, chronyc_exec_t, chronyd_exec_t, chronyd_initrc_exec_t, chroot_exec_t, cinder_api_exec_t, cinder_backup_exec_t, cinder_scheduler_exec_t, cinder_volume_exec_t, ciped_exec_t, ciped_initrc_exec_t, clogd_exec_t, cloud_init_exec_t, cluster_exec_t, cluster_initrc_exec_t, clvmd_exec_t, clvmd_initrc_exec_t, cmirrord_exec_t, cmirrord_initrc_exec_t, cobblerd_exec_t, cobblerd_initrc_exec_t, collectd_exec_t, collectd_initrc_exec_t, colord_exec_t, comsat_exec_t, condor_collector_exec_t, condor_initrc_exec_t, condor_master_exec_t, condor_negotiator_exec_t, condor_procd_exec_t, condor_schedd_exec_t, condor_startd_exec_t, conman_exec_t, conman_unconfined_script_exec_t, conntrackd_exec_t, conntrackd_initrc_exec_t, consolekit_exec_t, coreos_boot_mount_generator_exec_t, coreos_installer_exec_t, coreos_installer_generator_exec_t, coreos_liveiso_autologin_generator_exec_t, coreos_sulogin_force_generator_exec_t, couchdb_exec_t, couchdb_initrc_exec_t, courier_authdaemon_exec_t, courier_pcp_exec_t, courier_pop_exec_t, courier_sqwebmail_exec_t, courier_tcpd_exec_t, cpucontrol_exec_t, cpufreqselector_exec_t, cpuplug_exec_t, cpuplug_initrc_exec_t, cpuspeed_exec_t, crond_exec_t, crond_initrc_exec_t, ctdbd_exec_t, ctdbd_initrc_exec_t, cupsd_config_exec_t, cupsd_exec_t, cupsd_initrc_exec_t, cupsd_lpd_exec_t, cvs_exec_t, cvs_initrc_exec_t, cyphesis_exec_t, cyphesis_initrc_exec_t, cyrus_exec_t, cyrus_initrc_exec_t, dbskkd_exec_t, dbusd_exec_t, dccd_exec_t, dccifd_exec_t, dccm_exec_t, dcerpcd_exec_t, ddclient_exec_t, ddclient_initrc_exec_t, debuginfo_exec_t, deltacloudd_exec_t, denyhosts_exec_t, denyhosts_initrc_exec_t, devicekit_disk_exec_t, devicekit_exec_t, devicekit_power_exec_t, dhcpc_exec_t, dhcpc_helper_exec_t, dhcpd_exec_t, dhcpd_initrc_exec_t, dictd_exec_t, dictd_initrc_exec_t, dirsrv_exec_t, dirsrv_snmp_exec_t, dirsrvadmin_exec_t, dkim_milter_exec_t, dlm_controld_exec_t, dlm_controld_initrc_exec_t, dmesg_exec_t, dnsmasq_exec_t, dnsmasq_initrc_exec_t, dnssec_trigger_exec_t, dovecot_exec_t, dovecot_initrc_exec_t, drbd_exec_t, drbd_initrc_exec_t, dspam_exec_t, dspam_initrc_exec_t, entropyd_exec_t, entropyd_initrc_exec_t, etc_runtime_t, etc_t, eventlogd_exec_t, evtchnd_exec_t, exim_exec_t, exim_initrc_exec_t, fail2ban_client_exec_t, fail2ban_exec_t, fail2ban_initrc_exec_t, fcoemon_exec_t, fcoemon_initrc_exec_t, fdo_exec_t, fedoratp_exec_t, fenced_exec_t, fetchmail_exec_t, fetchmail_initrc_exec_t, fingerd_exec_t, firewalld_exec_t, firewalld_initrc_exec_t, firewallgui_exec_t, firstboot_exec_t, foghorn_exec_t, foghorn_initrc_exec_t, fprintd_exec_t, freeipmi_bmc_watchdog_exec_t, freeipmi_ipmidetectd_exec_t, freeipmi_ipmiseld_exec_t, fsadm_exec_t, fsdaemon_exec_t, fsdaemon_initrc_exec_t, ftpd_exec_t, ftpd_initrc_exec_t, ftpdctl_exec_t, fwupd_exec_t, games_exec_t, gconfdefaultsm_exec_t, gdomap_exec_t, gdomap_initrc_exec_t, geoclue_exec_t, getty_exec_t, gfs_controld_exec_t, gitd_exec_t, glance_api_exec_t, glance_api_initrc_exec_t, glance_registry_exec_t, glance_registry_initrc_exec_t, glance_scrubber_exec_t, glance_scrubber_initrc_exec_t, glusterd_exec_t, glusterd_initrc_exec_t, gnome_atspi_exec_t, gnome_initial_setup_exec_t, gnomesystemmm_exec_t, gpm_exec_t, gpm_initrc_exec_t, gpsd_exec_t, gpsd_initrc_exec_t, greylist_milter_exec_t, groupadd_exec_t, groupd_exec_t, gssd_exec_t, gssproxy_exec_t, haproxy_exec_t, hddtemp_exec_t, hddtemp_initrc_exec_t, home_bin_t, hostapd_exec_t, hostname_exec_t, hsqldb_exec_t, httpd_exec_t, httpd_initrc_exec_t, httpd_rotatelogs_exec_t, hwclock_exec_t, hwloc_dhwd_exec_t, hypervkvp_exec_t, hypervkvp_initrc_exec_t, hypervvssd_exec_t, ibacm_exec_t, icecast_exec_t, icecast_initrc_exec_t, ifconfig_exec_t, inetd_child_exec_t, inetd_exec_t, init_exec_t, initrc_exec_t, initrc_state_t, innd_exec_t, innd_initrc_exec_t, install_exec_t, iodined_exec_t, iodined_initrc_exec_t, ipmievd_exec_t, ipmievd_helper_exec_t, ipsec_exec_t, ipsec_initrc_exec_t, ipsec_mgmt_exec_t, iptables_exec_t, iptables_initrc_exec_t, irqbalance_exec_t, irqbalance_initrc_exec_t, iscsid_exec_t, isnsd_exec_t, isnsd_initrc_exec_t, iwhd_exec_t, iwhd_initrc_exec_t, jabberd_exec_t, jabberd_initrc_exec_t, jabberd_router_exec_t, jetty_exec_t, jockey_exec_t, journalctl_exec_t, kadmind_exec_t, kdump_dep_generator_exec_t, kdump_exec_t, kdump_initrc_exec_t, kdumpctl_exec_t, kdumpgui_exec_t, keepalived_exec_t, kerberos_initrc_exec_t, keyboardd_exec_t, keystone_exec_t, keystone_initrc_exec_t, kismet_exec_t, kismet_initrc_exec_t, klogd_exec_t, kmod_exec_t, kmscon_exec_t, kpatch_exec_t, kpropd_exec_t, krb5kdc_exec_t, ksm_exec_t, ksmtuned_exec_t, ksmtuned_initrc_exec_t, ktalkd_exec_t, l2tpd_exec_t, l2tpd_initrc_exec_t, ld_so_t, ldconfig_exec_t, lib_t, likewise_initrc_exec_t, lircd_exec_t, lircd_initrc_exec_t, lldpad_exec_t, lldpad_initrc_exec_t, loadkeys_exec_t, locate_exec_t, logrotate_exec_t, logwatch_exec_t, lpd_exec_t, lsassd_exec_t, lsmd_exec_t, lttng_sessiond_exec_t, lvm_exec_t, lwiod_exec_t, lwregd_exec_t, lwsmd_exec_t, mailman_mail_exec_t, mandb_exec_t, mcelog_exec_t, mcelog_initrc_exec_t, mdadm_exec_t, mdadm_initrc_exec_t, memcached_exec_t, memcached_initrc_exec_t, minidlna_exec_t, minidlna_initrc_exec_t, minissdpd_exec_t, minissdpd_initrc_exec_t, mip6d_exec_t, modemmanager_exec_t, mon_procd_exec_t, mon_statd_exec_t, mon_statd_initrc_exec_t, mongod_exec_t, mongod_initrc_exec_t, motion_exec_t, mount_ecryptfs_exec_t, mount_exec_t, mpd_exec_t, mpd_initrc_exec_t, mrtg_exec_t, mrtg_initrc_exec_t, mscan_exec_t, mscan_initrc_exec_t, munin_exec_t, munin_initrc_exec_t, mysqld_exec_t, mysqld_initrc_exec_t, mysqld_safe_exec_t, mysqlmanagerd_exec_t, mysqlmanagerd_initrc_exec_t, naemon_exec_t, naemon_initrc_exec_t, nagios_exec_t, nagios_initrc_exec_t, named_checkconf_exec_t, named_exec_t, named_initrc_exec_t, namespace_init_exec_t, ndc_exec_t, netlabel_mgmt_exec_t, netlogond_exec_t, netutils_exec_t, neutron_exec_t, neutron_initrc_exec_t, nfsd_exec_t, nfsd_initrc_exec_t, ninfod_exec_t, nis_initrc_exec_t, nmbd_exec_t, nova_exec_t, nrpe_exec_t, nscd_exec_t, nscd_initrc_exec_t, nsd_exec_t, nslcd_exec_t, nslcd_initrc_exec_t, ntop_exec_t, ntop_initrc_exec_t, ntpd_exec_t, ntpd_initrc_exec_t, ntpdate_exec_t, numad_exec_t, nut_upsd_exec_t, nut_upsdrvctl_exec_t, nut_upsmon_exec_t, nvme_stas_exec_t, nx_server_exec_t, oddjob_exec_t, oddjob_mkhomedir_exec_t, opafm_exec_t, openct_exec_t, openct_initrc_exec_t, opendnssec_exec_t, openfortivpn_exec_t, openhpid_exec_t, openhpid_initrc_exec_t, openshift_initrc_exec_t, opensm_exec_t, openvpn_exec_t, openvpn_initrc_exec_t, openvswitch_exec_t, openwsman_exec_t, oracleasm_exec_t, oracleasm_initrc_exec_t, osad_exec_t, osad_initrc_exec_t, packagekit_exec_t, pads_exec_t, pads_initrc_exec_t, pam_console_exec_t, pcp_plugin_exec_t, pcp_plugin_initrc_exec_t, pcp_pmcd_exec_t, pcp_pmcd_initrc_exec_t, pcp_pmie_exec_t, pcp_pmie_initrc_exec_t, pcp_pmlogger_exec_t, pcp_pmlogger_initrc_exec_t, pcp_pmproxy_exec_t, pcp_pmproxy_initrc_exec_t, pcscd_exec_t, pcscd_initrc_exec_t, pdns_control_exec_t, pdns_exec_t, pegasus_exec_t, pegasus_openlmi_account_exec_t, pegasus_openlmi_admin_exec_t, pegasus_openlmi_logicalfile_exec_t, pegasus_openlmi_services_exec_t, pegasus_openlmi_storage_exec_t, pegasus_openlmi_system_exec_t, pegasus_openlmi_unconfined_exec_t, pesign_exec_t, phc2sys_exec_t, ping_exec_t, pingd_exec_t, pingd_initrc_exec_t, piranha_fos_exec_t, piranha_lvs_exec_t, piranha_pulse_exec_t, piranha_pulse_initrc_exec_t, piranha_web_exec_t, pkcs11proxyd_exec_t, pkcs_slotd_exec_t, pkcs_slotd_initrc_exec_t, pki_ra_exec_t, pki_ra_script_exec_t, pki_tomcat_exec_t, pki_tps_exec_t, pki_tps_script_exec_t, plymouth_exec_t, plymouthd_exec_t, policykit_auth_exec_t, policykit_exec_t, policykit_grant_exec_t, policykit_resolve_exec_t, polipo_exec_t, polipo_initrc_exec_t, portmap_exec_t, portmap_helper_exec_t, portmap_initrc_exec_t, portreserve_exec_t, portreserve_initrc_exec_t, postfix_exec_t, postfix_initrc_exec_t, postfix_map_exec_t, postfix_master_exec_t, postgresql_exec_t, postgresql_initrc_exec_t, postgrey_exec_t, postgrey_initrc_exec_t, pppd_exec_t, pppd_initrc_exec_t, pptp_exec_t, prelink_exec_t, prelude_audisp_exec_t, prelude_correlator_exec_t, prelude_exec_t, prelude_initrc_exec_t, prelude_lml_exec_t, privoxy_exec_t, privoxy_initrc_exec_t, prosody_exec_t, psad_exec_t, psad_initrc_exec_t, ptal_exec_t, ptp4l_exec_t, pulseaudio_exec_t, puppetagent_exec_t, puppetagent_initrc_exec_t, puppetmaster_exec_t, puppetmaster_initrc_exec_t, pyicqt_exec_t, qatlib_exec_t, qdiskd_exec_t, qmail_start_exec_t, qmail_tcp_env_exec_t, qpidd_exec_t, qpidd_initrc_exec_t, quota_exec_t, quota_nld_exec_t, rabbitmq_exec_t, rabbitmq_initrc_exec_t, racoon_exec_t, radiusd_exec_t, radiusd_initrc_exec_t, radvd_exec_t, radvd_initrc_exec_t, rasdaemon_exec_t, rdisc_exec_t, readahead_exec_t, realmd_exec_t, rebootmgr_exec_t, redis_exec_t, redis_initrc_exec_t, regex_milter_exec_t, restorecond_exec_t, rhcd_exec_t, rhev_agentd_exec_t, rhgb_exec_t, rhnsd_exec_t, rhnsd_initrc_exec_t, rhsmcertd_exec_t, rhsmcertd_initrc_exec_t, ricci_exec_t, ricci_initrc_exec_t, ricci_modclusterd_exec_t, rkt_exec_t, rlogind_exec_t, rngd_exec_t, rngd_initrc_exec_t, rolekit_exec_t, roundup_exec_t, roundup_initrc_exec_t, rpcbind_exec_t, rpcbind_initrc_exec_t, rpcd_exec_t, rpcd_initrc_exec_t, rpm_exec_t, rpmdb_exec_t, rrdcached_exec_t, rshd_exec_t, rssh_chroot_helper_exec_t, rsync_exec_t, rtas_errd_exec_t, rtkit_daemon_exec_t, rtkit_daemon_initrc_exec_t, rwho_exec_t, rwho_initrc_exec_t, samba_initrc_exec_t, sambagui_exec_t, sanlk_resetd_exec_t, sanlock_exec_t, sanlock_initrc_exec_t, sap_exec_t, saslauthd_exec_t, saslauthd_initrc_exec_t, sbd_exec_t, sblim_gatherd_exec_t, sblim_initrc_exec_t, sblim_reposd_exec_t, sblim_sfcbd_exec_t, sectoolm_exec_t, selinux_autorelabel_generator_exec_t, semanage_exec_t, sendmail_exec_t, sendmail_initrc_exec_t, sensord_exec_t, sensord_initrc_exec_t, setfiles_exec_t, setkey_exec_t, setrans_exec_t, setrans_initrc_exec_t, setroubleshoot_fixit_exec_t, setroubleshootd_exec_t, setsebool_exec_t, sge_execd_exec_t, shell_exec_t, shorewall_exec_t, shorewall_initrc_exec_t, slapd_exec_t, slapd_initrc_exec_t, slpd_exec_t, slpd_initrc_exec_t, smbd_exec_t, smokeping_exec_t, smokeping_initrc_exec_t, smsd_exec_t, smsd_initrc_exec_t, snapperd_exec_t, snmpd_exec_t, snmpd_initrc_exec_t, snort_exec_t, snort_initrc_exec_t, soundd_exec_t, soundd_initrc_exec_t, spamass_milter_exec_t, spamd_exec_t, spamd_initrc_exec_t, spamd_update_exec_t, speech_dispatcher_exec_t, squid_cron_exec_t, squid_exec_t, squid_initrc_exec_t, src_t, srvsvcd_exec_t, ssh_keygen_exec_t, sshd_exec_t, sshd_initrc_exec_t, sshd_keygen_exec_t, sslh_exec_t, sslh_initrc_exec_t, sssd_exec_t, sssd_initrc_exec_t, stalld_exec_t, stapserver_exec_t, stratisd_exec_t, stunnel_exec_t, sulogin_exec_t, svc_start_exec_t, svnserve_exec_t, svnserve_initrc_exec_t, swat_exec_t, swift_exec_t, syslogd_exec_t, syslogd_initrc_exec_t, sysstat_exec_t, sysstat_initrc_exec_t, system_conf_t, system_db_t, systemd_bless_boot_generator_exec_t, systemd_bootchart_exec_t, systemd_coredump_exec_t, systemd_cryptsetup_generator_exec_t, systemd_debug_generator_exec_t, systemd_fstab_generator_exec_t, systemd_generic_generator_exec_t, systemd_getty_generator_exec_t, systemd_gpt_generator_exec_t, systemd_growpart_generator_exec_t, systemd_hostnamed_exec_t, systemd_hwdb_exec_t, systemd_ibft_rule_generator_exec_t, systemd_importd_exec_t, systemd_initctl_exec_t, systemd_journal_upload_exec_t, systemd_localed_exec_t, systemd_logger_exec_t, systemd_logind_exec_t, systemd_machined_exec_t, systemd_modules_load_exec_t, systemd_mountfsd_exec_t, systemd_network_generator_exec_t, systemd_networkd_exec_t, systemd_notify_exec_t, systemd_nsresourced_exec_t, systemd_passwd_agent_exec_t, systemd_pcrextend_exec_t, systemd_pcrlock_exec_t, systemd_pstore_exec_t, systemd_rc_local_generator_exec_t, systemd_resolved_exec_t, systemd_rfkill_exec_t, systemd_sleep_exec_t, systemd_socket_proxyd_exec_t, systemd_ssh_generator_exec_t, systemd_status_mail_generator_exec_t, systemd_sysctl_exec_t, systemd_systemctl_exec_t, systemd_sysv_generator_exec_t, systemd_timedated_exec_t, systemd_tmpfiles_exec_t, systemd_tpm2_generator_exec_t, systemd_udev_trigger_generator_exec_t, systemd_userdbd_exec_t, systemd_zram_generator_exec_t, tangd_exec_t, targetclid_exec_t, targetd_exec_t, tcpd_exec_t, tcsd_exec_t, tcsd_initrc_exec_t, telnetd_exec_t, textrel_shlib_t, tftpd_exec_t, tgtd_exec_t, tgtd_initrc_exec_t, thin_aeolus_configserver_exec_t, thin_exec_t, timedatex_exec_t, timemaster_exec_t, tlp_exec_t, tmpfs_t, tmpreaper_exec_t, tomcat_exec_t, tor_exec_t, tor_initrc_exec_t, traceroute_exec_t, tuned_exec_t, tuned_initrc_exec_t, udev_exec_t, ulogd_exec_t, ulogd_initrc_exec_t, uml_switch_exec_t, updfstab_exec_t, updpwd_exec_t, usbmodules_exec_t, usbmuxd_exec_t, useradd_exec_t, usr_t, uucpd_exec_t, uucpd_initrc_exec_t, uuidd_exec_t, uuidd_initrc_exec_t, var_run_t, varnishd_exec_t, varnishd_initrc_exec_t, varnishlog_exec_t, varnishlog_initrc_exec_t, vdagent_exec_t, vdagentd_initrc_exec_t, vhostmd_exec_t, vhostmd_initrc_exec_t, virsh_exec_t, virt_dbus_exec_t, virt_qemu_ga_exec_t, virt_qmf_exec_t, virtd_exec_t, virtd_initrc_exec_t, virtd_lxc_exec_t, virtinterfaced_exec_t, virtlogd_exec_t, virtlogd_initrc_exec_t, virtnetworkd_exec_t, virtnodedevd_exec_t, virtnwfilterd_exec_t, virtproxyd_exec_t, virtqemud_exec_t, virtsecretd_exec_t, virtstoraged_exec_t, virtvboxd_exec_t, virtvzd_exec_t, virtxend_exec_t, vmtools_exec_t, vmware_host_exec_t, vnstatd_exec_t, vnstatd_initrc_exec_t, vpnc_exec_t, watchdog_exec_t, watchdog_initrc_exec_t, wdmd_exec_t, wdmd_initrc_exec_t, wicked_exec_t, wicked_initrc_exec_t, winbind_exec_t, wireguard_exec_t, wpa_cli_exec_t, xdm_exec_t, xenconsoled_exec_t, xend_exec_t, xenstored_exec_t, xserver_exec_t, ypbind_exec_t, ypbind_initrc_exec_t, yppasswdd_exec_t, ypserv_exec_t, ypxfr_exec_t, zabbix_agent_exec_t, zabbix_agent_initrc_exec_t, zabbix_exec_t, zabbix_initrc_exec_t, zarafa_deliver_exec_t, zarafa_gateway_exec_t, zarafa_ical_exec_t, zarafa_indexer_exec_t, zarafa_monitor_exec_t, zarafa_server_exec_t, zarafa_spooler_exec_t, zebra_exec_t, zebra_initrc_exec_t, zoneminder_exec_t, zoneminder_initrc_exec_t, zos_remote_exec_t.
25Then execute:
26restorecon -v 'podman'
27
28
29***** Plugin catchall (2.67 confidence) suggests **************************
30
31If you believe that (podman) should be allowed execute access on the podman file by default.
32Then you should report this as a bug.
33You can generate a local policy module to allow this access.
34Do
35allow this access for now by executing:
36# ausearch -c '(podman)' --raw | audit2allow -M my-podman
37# semodule -X 300 -i my-podman.pp
38
39
40Additional Information:
41Source Context system_u:system_r:init_t:s0
42Target Context system_u:object_r:unlabeled_t:s0
43Target Objects podman [ file ]
44Source (podman)
45Source Path (podman)
46Port <Unknown>
47Host uyuni-server.uyuni.local
48Source RPM Packages
49Target RPM Packages
50SELinux Policy RPM selinux-policy-targeted-20241031+git8.1f94e96d-
51 slfo.1.1_1.1.noarch
52Local Policy RPM selinux-policy-targeted-20241031+git8.1f94e96d-
53 slfo.1.1_1.1.noarch
54Selinux Enabled True
55Policy Type targeted
56Enforcing Mode Enforcing
57Host Name uyuni-server.uyuni.local
58Platform Linux uyuni-server.uyuni.local 6.4.0-31-default
59 #1 SMP PREEMPT_DYNAMIC Tue Jul 1 14:59:55 UTC
60 2025 (78b2f4b) x86_64 x86_64
61Alert Count 40
62First Seen 2025-08-12 16:36:00 CEST
63Last Seen 2025-08-12 16:36:59 CEST
64Local ID 00f14f0d-9d3b-45ea-88b0-588a07ae8aae
65
66Raw Audit Messages
67type=AVC msg=audit(1755009419.629:188): avc: denied { execute } for pid=1627 comm="(podman)" name="podman" dev="sda3" ino=154908 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:container_runtime_exec_t:s0"
68
69
70Hash: (podman),init_t,unlabeled_t,file,execute
Ein denkbarer erster Workaround ist es, Sperren für die selinux-policy und selinux-policy-targeted Pakete anzulegen, bevor verfügbare Updates installiert werden:
1# zypper addlock selinux-policy
2# zypper addlock selinux-policy-targeted
3# zypper up
Ich habe mir das Verhalten nochmal auf einem weiteren System angeschaut und herausgefunden, dass der Fehler nicht auftritt wenn die Updates in einer interaktiven transactional-shell installiert werden:
1# transactional-update shell
2transactional update ~# zypper ref
3transactional update ~# zypper up
4transactional update ~# exit
5# reboot
Nach dem Reboot waren sowohl Podman als auch Uyuni wie erwartet funktional.
Zum Vergleich die Ausgabe des herkömmlichen transactional-update:
1# transactional-update
2...
3%posttrans(selinux-policy-targeted-20241031+git8.1f94e96d-slfo.1.1_1.1.noarch) script output:
4++ SELINUX=enforcing
5++ SELINUXTYPE=targeted
6.
7%transfiletriggerin(systemd-254.25-slfo.1.1_1.1.x86_64) script output:
8Running in chroot, ignoring command 'daemon-reload'
9Running in chroot, ignoring command 'reload-or-restart'
10..done]
Es scheint als würden manche Post-Skripte in der konventionellen transactional-update-Sitzung fehlschlagen. Es ist denkbar, dass dieses Verhalten auch unter SLE Micro 5.5, SUSE Multi-Linux Manager und anderen Anwendungen auftritt.
Hinweis
Dieses Thema wird auch auf GitHub diskutiert.