RHEL 8.8 compatibility (container-selinux-2:2.205.0-2)

[Klaas-]

Hi, The current and testing versions create errors with container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch

Tested versions: k3s-selinux-1.2-2.el8.noarch.rpm k3s-selinux-1.3-9.el8.noarch.rpm

Both show the same error

# dnf update
Last metadata expiration check: 0:26:52 ago on Wed 24 May 2023 09:00:09 AM UTC.
Dependencies resolved.
==============================================================================================================================================================================================================
 Package                                 Architecture                 Version                                                          Repository                                                        Size
==============================================================================================================================================================================================================
Upgrading:
 container-selinux                       noarch                       2:2.205.0-2.module+el8.8.0+18438+15d3aa65                        rhui-rhel-8-for-x86_64-appstream-rhui-rpms                        64 k

Transaction Summary
==============================================================================================================================================================================================================
Upgrade  1 Package

Total download size: 64 k
Is this ok [y/N]: y
Downloading Packages:
container-selinux-2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch.rpm                                                                                                          406 kB/s |  64 kB     00:00
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                         402 kB/s |  64 kB     00:00
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                      1/1
  Running scriptlet: container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch                                                                                                                   1/2
  Upgrading        : container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch                                                                                                                   1/2
  Running scriptlet: container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch                                                                                                                   1/2
Conflicting name type transition rules
Binary policy creation failed at /var/lib/selinux/targeted/tmp/modules/200/k3s/cil:135
Failed to generate binary
/usr/sbin/semodule:  Failed!

  Cleanup          : container-selinux-2:2.189.0-1.module+el8.7.0+17824+66a0202b.noarch                                                                                                                   2/2
  Running scriptlet: container-selinux-2:2.189.0-1.module+el8.7.0+17824+66a0202b.noarch                                                                                                                   2/2
  Running scriptlet: container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch                                                                                                                   2/2
  Verifying        : container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch                                                                                                                   1/2
  Verifying        : container-selinux-2:2.189.0-1.module+el8.7.0+17824+66a0202b.noarch                                                                                                                   2/2
Installed products updated.

Upgraded:
  container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch

Complete!

[rancher-max]

Hello! Thank you for the report. This update in el8 happened while we were working on changes for the same update in el9 (and other distros). However, it has not yet been made across the board for el8 distros, so the approach we took in resolving this involved requiring a version less than container-selinux-2:2.191.0-1. I wrote some more details in https://github.com/k3s-io/k3s/issues/7307#issuecomment-1562078486, but this should be available now in the testing channel with the latest install script that was just merged.

[Klaas-]

Hi @rancher-max I tested the latest k3s-selinux-1.3-9.el8.noarch.rpm as well. I'd guess you need to make it a stronger dependency (so that container-selinux does not get updated) or support the current rhel 8.8 version container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65

[Klaas-]

ah I see you also released a k3s-selinux-1.3-10.el8.noarch.rpm -- I'll give it a try next week

[Klaas-]

As feedback k3s-selinux-1.3-1.el8.noarch works with container-selinux-2:2.205.0-2.module+el8.8.0+18438+15d3aa65.noarch, but I had to delete k3s-selinux, upgrading it was not enough.

[rancher-max]

The install script should handle most of that, but yeah you're right -- there's a chicken:egg problem between k3s-selinux and container-selinux during an upgrade if you're just pulling binaries. This is the section of the install script that handles that problem: https://github.com/k3s-io/k3s/blob/master/install.sh#L618-L626.