Rpm-ostree + ima broken in Fedora 42

rpm-ostree + ima is broken in Fedora 42, but worked fine in Fedora 41. Running rpm-ostree compose image seems to fail because both systemd-shared and systemd-libs provide /usr/share/licenses/systemd/LICENSE.LGPL2.1. I’d report this in Bugzilla, but I’m not sure whether to file this against rpm-ostree or systemd (or maybe ima even?).

Minimal example:

$ podman run --pull=newer -it --rm --privileged --security-opt=label=disable registry.fedoraproject.org/fedora-minimal:42

# dnf install --assumeyes rpm-ostree
# cd ~
# cp /etc/yum.repos.d/* .

# cat > treefile.yaml <<EOF
edition: "2024"
releasever: 42
selinux: false
ima: true
recommends: false

packages:
  - systemd
EOF

# rpm-ostree compose image --initialize ./treefile.yaml ./out.tar
Enabled rpm-md repositories: fedora-cisco-openh264 updates fedora
Updating metadata for 'fedora-cisco-openh264'... done
Updating metadata for 'updates'... done
Updating metadata for 'fedora'... done
Importing rpm-md... done
rpm-md repo 'fedora-cisco-openh264'; generated: 2024-08-21T16:04:02Z solvables: 3
rpm-md repo 'updates'; generated: 2025-04-25T02:07:37Z solvables: 7902
rpm-md repo 'fedora'; generated: 2025-04-11T05:17:07Z solvables: 76879
Resolving dependencies... done
Installing 61 packages:
  alternatives-1.32-1.fc42.x86_64 (fedora)
  audit-libs-4.0.3-2.fc42.x86_64 (fedora)
  basesystem-11-22.fc42.noarch (fedora)
  bash-5.2.37-1.fc42.x86_64 (fedora)
  bzip2-libs-1.0.8-20.fc42.x86_64 (fedora)
  ca-certificates-2024.2.69_v8.0.401-6.fc42.noarch (updates)
  coreutils-9.6-2.fc42.x86_64 (fedora)
  coreutils-common-9.6-2.fc42.x86_64 (fedora)
  crypto-policies-20250214-1.gitff7551b.fc42.noarch (fedora)
  dbus-1:1.16.0-3.fc42.x86_64 (fedora)
  dbus-broker-36-5.fc42.x86_64 (fedora)
  dbus-common-1:1.16.0-3.fc42.noarch (fedora)
  expat-2.7.1-1.fc42.x86_64 (fedora)
  fedora-gpg-keys-42-1.noarch (fedora)
  fedora-release-42-26.noarch (updates)
  fedora-release-common-42-26.noarch (updates)
  fedora-release-identity-basic-42-26.noarch (updates)
  fedora-repos-42-1.noarch (fedora)
  filesystem-3.18-36.fc42.x86_64 (fedora)
  findutils-1:4.10.0-5.fc42.x86_64 (fedora)
  glibc-2.41-3.fc42.x86_64 (updates)
  glibc-common-2.41-3.fc42.x86_64 (updates)
  glibc-minimal-langpack-2.41-3.fc42.x86_64 (updates)
  gmp-1:6.3.0-4.fc42.x86_64 (fedora)
  grep-3.11-10.fc42.x86_64 (fedora)
  libacl-2.3.2-3.fc42.x86_64 (fedora)
  libattr-2.5.2-5.fc42.x86_64 (fedora)
  libblkid-2.40.4-7.fc42.x86_64 (fedora)
  libcap-2.73-2.fc42.x86_64 (fedora)
  libcap-ng-0.8.5-4.fc42.x86_64 (fedora)
  libeconf-0.7.6-1.fc42.x86_64 (fedora)
  libfdisk-2.40.4-7.fc42.x86_64 (fedora)
  libffi-3.4.6-5.fc42.x86_64 (fedora)
  libgcc-15.0.1-0.11.fc42.x86_64 (fedora)
  libmount-2.40.4-7.fc42.x86_64 (fedora)
  libseccomp-2.5.5-2.fc41.x86_64 (fedora)
  libselinux-3.8-1.fc42.x86_64 (fedora)
  libsemanage-3.8-1.fc42.x86_64 (fedora)
  libsepol-3.8-1.fc42.x86_64 (fedora)
  libsmartcols-2.40.4-7.fc42.x86_64 (fedora)
  libtasn1-4.20.0-1.fc42.x86_64 (fedora)
  libuuid-2.40.4-7.fc42.x86_64 (fedora)
  libxcrypt-4.4.38-7.fc42.x86_64 (updates)
  ncurses-base-6.5-5.20250125.fc42.noarch (fedora)
  ncurses-libs-6.5-5.20250125.fc42.x86_64 (fedora)
  openssl-libs-1:3.2.4-3.fc42.x86_64 (fedora)
  p11-kit-0.25.5-5.fc42.x86_64 (fedora)
  p11-kit-trust-0.25.5-5.fc42.x86_64 (fedora)
  pam-libs-1.7.0-4.fc42.x86_64 (fedora)
  pcre2-10.45-1.fc42.x86_64 (fedora)
  pcre2-syntax-10.45-1.fc42.noarch (fedora)
  sed-4.9-4.fc42.x86_64 (fedora)
  setup-2.15.0-13.fc42.noarch (fedora)
  shadow-utils-2:4.17.4-1.fc42.x86_64 (fedora)
  systemd-257.5-2.fc42.x86_64 (updates)
  systemd-libs-257.5-2.fc42.x86_64 (updates)
  systemd-pam-257.5-2.fc42.x86_64 (updates)
  systemd-shared-257.5-2.fc42.x86_64 (updates)
  systemd-sysusers-257.5-2.fc42.x86_64 (updates)
  util-linux-core-2.40.4-7.fc42.x86_64 (fedora)
  zlib-ng-compat-2.2.4-3.fc42.x86_64 (fedora)
Input state hash: cb9898c8fb42bd17949a9b0ccc9e1eb43464a7e9498053e7534336b19b26fb81
Will download: 61 packages (28.3?MB)
Downloading from 'fedora'... done
Downloading from 'updates'... done
Importing packages... done: 61
Checking out packages... done
error: Subprocess failed: ExitStatus(unix_wait_status(256))
rpm-ostree version: 2025.7
error: Installing packages: Checkout systemd-shared-257.5-2.fc42.x86_64: Hardlinking bd/f4751df4984f28a24306e1a113ba927baf638258381f5d63f37c0b129a99bd.file to LICENSE.LGPL2.1: File exists

# dnf provides /usr/share/licenses/systemd/LICENSE.LGPL2.1
Updating and loading repositories:
 Fedora 42 - x86_64 - Updates
 Fedora 42 openh264 (From Cisco) - x86_64
 Fedora 42 - x86_64
Repositories loaded.
systemd-libs-257.5-2.fc42.x86_64 : systemd libraries
Repo         : @System
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-shared-257.5-2.fc42.x86_64 : Internal systemd shared library
Repo         : @System
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-libs-257.5-2.fc42.i686 : systemd libraries
Repo         : updates
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-libs-257.5-2.fc42.x86_64 : systemd libraries
Repo         : updates
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-shared-257.5-2.fc42.i686 : Internal systemd shared library
Repo         : updates
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-shared-257.5-2.fc42.x86_64 : Internal systemd shared library
Repo         : updates
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-libs-257.3-7.fc42.i686 : systemd libraries
Repo         : fedora
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-libs-257.3-7.fc42.x86_64 : systemd libraries
Repo         : fedora
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-shared-257.3-7.fc42.i686 : Internal systemd shared library
Repo         : fedora
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

systemd-shared-257.3-7.fc42.x86_64 : Internal systemd shared library
Repo         : fedora
Matched From :
Filename     : /usr/share/licenses/systemd/LICENSE.LGPL2.1

Related: License duplication in systemd-shared-257.3-7.fc42 causes ostree creation to fail · Issue #80 · fedora-iot/iot-distro · GitHub

Neither the Atomic Desktops nor CoreOS use IMA and we are working on composefs instead for integrity guarantees.

1 Like

Related: License duplication in systemd-shared-257.3-7.fc42 causes ostree creation to fail · Issue #80 · fedora-iot/iot-distro · GitHub

Thanks. I had figured that this had already been reported somewhere, but Google was failing me.

Neither the Atomic Desktops nor CoreOS use IMA

Ah, I was basing my treefile off of IoT, but it looks like they’ve disabled ima because of this same issue: Commit - fedora-iot/ostree - a743314472c14fbc65e79587c1b6cf165d50f76f - Pagure.io

we are working on composefs instead for integrity guarantees.

I already have composefs enabled, so are you saying that that makes ima redundant?

It will in the future. I’m not sure exactly what the IMA guarantees are right now.

1 Like