Fedora 35 to 36 (and 37) via dnf-system-upgrade selinux breaks system

Hi friends.

Hope everyone doing well.

I got this big issue when upgrading a fedora 35 to 37.

i follow the documentation wich is very simple thanks to the dev.

But at some point when i do :

dnf system-upgrade reboot

i got errors with selinux upgrade.
It breaks the system and i cannot boot.

[386/2004] Upgrading selinux-policy-targeted-37.19-1.fc37.noarch...                                                                                                                           
[   81.710462] dnf[614]:   Running scriptlet: selinux-policy-targeted-37.19-1.fc37.noarch       386/2004                                                                                      
[   81.724230] dnf[614]:   Upgrading        : selinux-policy-targeted-37.19-1.fc37.noarch       386/2004                                                                                      
[386/2004] Running scriptlet selinux-policy-targeted-37.19-1.fc37.noarch...                                                                                                                   
[   86.749721] SELinux:  Converting 349 SID table entries...                                                                                                                                  
[   86.755890] SELinux:  policy capability network_peer_controls=1                                                                                                                            
[   86.756172] SELinux:  policy capability open_perms=1                                                                                                                                       
[   86.756353] SELinux:  policy capability extended_socket_class=1                                                                                                                            
[   86.756566] SELinux:  policy capability always_check_network=0                                                                                                                             
[   86.756787] SELinux:  policy capability cgroup_seclabel=1                                                                                                                                  
[   86.756989] SELinux:  policy capability nnp_nosuid_transition=1                                                                                                                            
[   86.757207] SELinux:  policy capability genfs_seclabel_symlinks=1                                                                                                                          
[   86.757428] SELinux:  policy capability ioctl_skip_cloexec=0                                                                                                                               
[   86.785208] kauditd_printk_skb: 48 callbacks suppressed                                                                                                                                    
[   86.785210] audit: type=1403 audit(1677058517.316:213): auid=4294967295 ses=4294967295 lsm=selinux res=1                                                                                   
[   86.786061] audit: type=1300 audit(1677058517.316:213): arch=c000003e syscall=1 success=yes exit=3584836 a0=4 a1=7f920d600000 a2=36b344 a3=0 items=0 ppid=2710 pid=2718 auid=4294967295 uid
=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="load_policy" exe="/usr/sbin/load_policy" subj=system_u:system_r:load_policy_t:s0 key=(null)
[   86.787764] audit: type=1327 audit(1677058517.316:213): proctitle="load_policy"

i stopped the system and checked the version at reboot

cat /etc/redhat-release
Fedora release 37 (Thirty Seven)

but obviously the system is broken . If i try to do some dnf operations :

Traceback (most recent call last):
  File "/usr/bin/dnf", line 61, in <module>
    from dnf.cli import main
ModuleNotFoundError: No module named 'dnf'

I can provide more specific logs and larger explanation of course.

Thank you for any input here.

Have a good day.

Please clarify: your subject says you were upgrading F35 to F36, but then you ended up in F37.

You say you stopped the system, presumably while the update was running. DId the system hang or was it because you saw the SELinux messages?

At first glance the SELinux messages are similar to those I see with any update.

Thank you @gnwiii for your reply.

I was unclear.

I tried to upgrade from 35 to 37 and then from 35 to 36 that is why i got confused myself sorry for this.

I saw the system update has freezed at this very stage :

Upgrading selinux-policy-targeted-37.19-1.fc37.noarch

at reboot via a serial TTYS0 interface.

Firstly i thought it was the serial misbehaving and hung at some point.

That is why i force stopped the VM. A wrong choice i’m sure of this.

I got backups and can rollback ultra easily to try other methods.

I learned to avoid upgrading OS’s in VM’s – upgrades are tricky enough and VM’s sometimes change settings for newer OS versions.

You need to boot a Fedora live session and mount the root filesystem, then proceed as follows:

# Sync installed packages to the latest release
sudo dnf --installroot /mnt --releasever 37 distro-sync

# Remove duplicates
sudo dnf --installroot /mnt remove --duplicates

# Rebuild RPM database
sudo rpm --root /mnt --rebuilddb

# Find corrupted and missing files
sudo rpm --root /mnt -V -a
1 Like

That can take quite a while on a somewhat slow system with a somewhat slow disk unit. My old system was that way.

2 Likes

Thank you very much @vgaetera and @vekruse for your suggestions.

It was a matter of time.

I remember one time i did dome selinux relabel on a system and it took a very long time.

I repeated the operation and it’s ok now.

@vekruse thank you for this very technical procedure. I’ll keep it preciously in case of failure someday.