[SOLVED] Install a rpm package gives error - Selinux policy

I want to install the rstudio preview package on Fedora Silverblue.I downloaded the .rpm file but can’t install it.

$ rpm-ostree install rstudio-1.2.1564-x86_64.rpm
error: Loading pkgcache branch rpmostree/pkg/rstudio/1.2.1564-1.x86__64: Failed to find metadata key rpmostree.sepolicy (signature s)

$ dnf install rstudio-1.2.1564-x86_64.rpm
…
Error: Transaction check error:
installing package rstudio-1.2.1564-1.x86_64 needs 616MB on the / filesystem

root@yogabx➤➤ / # df -Th
Filesystem Type Size Used Avail Use% Mounted on
devtmpfs devtmpfs 3.8G 0 3.8G 0% /dev
tmpfs tmpfs 3.8G 143M 3.7G 4% /dev/shm
tmpfs tmpfs 3.8G 1.9M 3.8G 1% /run
tmpfs tmpfs 3.8G 0 3.8G 0% /sys/fs/cgroup
/dev/mapper/fedora_desktop–a2nbe2u–2-root xfs 140G 92G 49G 66% /sysroot
tmpfs tmpfs 3.8G 3.6M 3.8G 1% /tmp
/dev/nvme0n1p7 ext4 976M 132M 778M 15% /boot
/dev/nvme0n1p6 vfat 488M 8.9M 479M 2% /boot/efi
/dev/loop1 squashfs 55M 55M 0 100% /var/lib/snapd/snap/core18/1055
/dev/loop0 squashfs 109M 109M 0 100% /var/lib/snapd/snap/zulip/15
/dev/loop5 squashfs 36M 36M 0 100% /var/lib/snapd/snap/gtk-common-themes/1198
/dev/loop2 squashfs 109M 109M 0 100% /var/lib/snapd/snap/zulip/16
/dev/loop3 squashfs 114M 114M 0 100% /var/lib/snapd/snap/zulip/22
/dev/loop4 squashfs 43M 43M 0 100% /var/lib/snapd/snap/gtk-common-themes/1313
/dev/loop7 squashfs 89M 89M 0 100% /var/lib/snapd/snap/core/7270
/dev/loop6 squashfs 89M 89M 0 100% /var/lib/snapd/snap/core/7169
/dev/loop8 squashfs 55M 55M 0 100% /var/lib/snapd/snap/core18/1066
/dev/mapper/fedora_desktop–a2nbe2u–2-home xfs 5.0G 4.6G 483M 91% /var/home
tmpfs tmpfs 772M 21M 751M 3% /run/user/1000

NOTE: I can found some app installed in /sysroot/home/gabx/.local. I guess dnf want to install the package here? What I don’t understand is that my home .local is in fact a symlink to a directory on /sysroot where there is still plenty of free space.

$ ls -al /home/gabx/
 .....
 .local -> /sysroot/home/gabx/.local/

Can anyone tell me how install the package properly, without building/installing it by hand? Or how I can deal with this dnf message about missing space?

Thank you

I was able to successfully install the package using rpm-ostree install. Maybe you have an older version of rpm-ostree? Perhaps the RPM is corrupt?

$ md5sum rstudio-1.2.1565-x86_64.rpm 
b46e3fe4d5791ebc49b579533dc02507  rstudio-1.2.1565-x86_64.rpm

$ rpm-ostree --version
rpm-ostree:
 Version: '2019.5'
 Git: 8fda63603f625c83eef3d38ae4fd605b2e045ba4
 Features:
  - compose
  - rust

$ sudo rpm-ostree install rstudio-1.2.1565-x86_64.rpm
Checking out tree bec43c7... done
Enabled rpm-md repositories: updates fedora fedora-cisco-openh264 rpmfusion-nonfree rpmfusion-nonfree-updates rpmfusion-free rpmfusion-free-updates
rpm-md repo 'updates' (cached); generated: 2019-08-01T02:33:48Z
Updating metadata for 'fedora'... done
rpm-md repo 'fedora'; generated: 2019-04-25T23:49:41Z
rpm-md repo 'fedora-cisco-openh264' (cached); generated: 2019-03-21T15:16:16Z
rpm-md repo 'rpmfusion-nonfree' (cached); generated: 2019-04-16T21:53:39Z
rpm-md repo 'rpmfusion-nonfree-updates' (cached); generated: 2019-07-29T11:46:05Z
rpm-md repo 'rpmfusion-free' (cached); generated: 2019-04-16T20:46:20Z
rpm-md repo 'rpmfusion-free-updates' (cached); generated: 2019-07-29T11:24:48Z
Importing rpm-md... done
Resolving dependencies... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Freed: 50.2 MB (pkgcache branches: 0)
Upgraded:
  adwaita-qt4 1.0.91-1.fc30 -> 1.1.0-2.fc30
  adwaita-qt5 1.0.91-1.fc30 -> 1.1.0-2.fc30
  fuse-overlayfs 0.4.2-0.dev.git7bc2dd9.fc30 -> 0.5-4.fc30
  hplip 3.19.6-1.fc30 -> 3.19.6-3.fc30
  hplip-common 3.19.6-1.fc30 -> 3.19.6-3.fc30
  hplip-libs 3.19.6-1.fc30 -> 3.19.6-3.fc30
  kernel 5.1.20-300.fc30 -> 5.2.4-200.fc30
  kernel-core 5.1.20-300.fc30 -> 5.2.4-200.fc30
  kernel-devel 5.1.20-300.fc30 -> 5.2.4-200.fc30
  kernel-headers 5.1.20-300.fc30 -> 5.2.4-200.fc30
  kernel-modules 5.1.20-300.fc30 -> 5.2.4-200.fc30
  kernel-modules-extra 5.1.20-300.fc30 -> 5.2.4-200.fc30
  libdnf 0.35.1-2.fc30 -> 0.35.1-3.fc30
  libimagequant 2.12.3-1.fc30 -> 2.12.5-1.fc30
  libinput 1.13.4-1.fc30 -> 1.13.901-1.fc30
  librepo 1.10.2-2.fc30 -> 1.10.5-1.fc30
  libsane-hpaio 3.19.6-1.fc30 -> 3.19.6-3.fc30
  patch 2.7.6-10.fc30 -> 2.7.6-11.fc30
  vim-common 2:8.1.1713-1.fc30 -> 2:8.1.1749-1.fc30
  vim-enhanced 2:8.1.1713-1.fc30 -> 2:8.1.1749-1.fc30
  vim-filesystem 2:8.1.1713-1.fc30 -> 2:8.1.1749-1.fc30
Added:
  libclc-0.2.0-15.git9f6204e.fc30.x86_64
  mesa-libOpenCL-19.1.3-1.fc30.x86_64
  opencl-filesystem-1.0-9.fc30.noarch
  rstudio-1.2.1565-1.x86_64
Run "systemctl reboot" to start a reboot

You won’t be able to install the RPM to the host using dnf; you can do that inside a container, though.

I didn’t even think SB had dnf installed.

It isn’t installed on the host by default, but sometimes it gets pulled in as a dependency when people are doing package layering (i.e. rpm-ostree install)

 % rpm-ostree --version         
rpm-ostree:
 Version: '2019.4'
 Git: 11f3ad2b1ecb634ab65dfab4a84bdb4f90930a2f
 Features:
  - compose
  - rust

I don’t have 2019.5, even after an upgrade. Any reason why?

 % rpm-ostree status 
State: idle
AutomaticUpdates: disabled
Deployments:
● ostree://fedora-workstation:fedora/30/x86_64/silverblue
                   Version: 30.20190802.0 (2019-08-02T00:50:50Z)
                BaseCommit: 26b1f69c89d0769a36a713b61a384d2c55edc76c2f6a30bc54fb1cbfcc0d907d
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9
           LayeredPackages: ImageMagick R R-R.cache R-R.utils R-callr R-littler R-prettydoc
                            R-rmarkdown aide alacarte android-tools apg byacc chromium
                            compat-ffmpeg28 dnf electrum fedora-workstation-repositories
                            ffmpeg ffmpeg-devel ffmpeg-libs flex gcc 'gcc-c++' git
                            gnome-font-viewer gnome-tweak-tool gstreamer1-libav httpie hugo
                            kubernetes-client lapack libappindicator mutt nano nodejs
                            openblas perl-AnyEvent-I3 perl-open python2-kobo-rpmlib
                            python3-kobo-rpmlib scratch seahorse snapd telnet thunderbird
                            unar vim vlc wmctrl zsh

 % md5sum rstudio-1.2.1565-x86_64.rpm 
b46e3fe4d5791ebc49b579533dc02507  rstudio-1.2.1565-x86_64.rpm
%  rpm-ostree install rstudio-1.2.1565-x86_64.rpm 
Checking out tree 26b1f69... done
Enabled rpm-md repositories: updates fedora yarn rpm-fusion
rpm-md repo 'updates' (cached); generated: 2019-08-02T00:53:01Z
rpm-md repo 'fedora' (cached); generated: 2019-04-25T23:49:41Z
rpm-md repo 'yarn' (cached); generated: 2019-07-13T08:35:18Z
rpm-md repo 'rpm-fusion' (cached); generated: 2019-04-16T20:46:20Z
Importing rpm-md... done
Resolving dependencies... done
error: Loading pkgcache branch rpmostree/pkg/rstudio/1.2.1565-1.x86__64: Failed to find metadata key rpmostree.sepolicy (signature s)

Package is not corrupted. I can’t see what to do, but as you could install it, I must be able to do so

I found this thread and I think this is my case. Is Selinux disabled on your box?

On my box,it is disabled.

% sestatus
SELinux status:                 disabled

I have SELinux enabled:

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31

Is there a reason you have SElinux disabled?

I’m using fedora/30/x86_64/testing/silverblue, so I have a newer version of rpm-ostree that hasn’t quite made it to stable yet. See - https://bodhi.fedoraproject.org/updates/FEDORA-2019-e9ec1ee945

I opened an issue with rpm-ostree to improve the messaging in this case of SELinux disabled - [RFE] improve messaging when using `rpm-ostree install` + SELinux disabled · Issue #1879 · coreos/rpm-ostree · GitHub

Is there a reason you have SElinux disabled?

Yes, I work with servers where Selinux is enabled,and honestly, it is not always trivial. So for my own box, which is not intensively open to the network, I decided to disable it. But I can’t see any reason why enabling Selinux would solve my issue.
I am afraid enforcing it now will mess my system,from what I could read about enforcing after months/years.

I think what’s happening there is that different parts of rpm-ostree make different assumptions about the SELinux state. While rpm-ostree should work with SELinux disabled, it’s definitely not the common scenario (i.e. don’t be surprised if you hit other issues).

Yes, I work with servers where Selinux is enabled,and honestly, it is not always trivial.

I feel your pain there, but once you get used to it it’s not so bad. Especially in Fedora, where SELinux support is pretty good. If you’d really not rather have it enforcing, you’ll still likely have better luck in permissive mode than fully disabling it. That way at least rpm-ostree can still do file labeling.

I may enforce it as I feel quite comfortable with it. I just wanted to avoid for my own box, but if you say I will encounter other issue, let’s go. Last advice: can I enforce it straight now, without any issue?

Thank you for your precious answer

Somewhat unrelated, but that’s quite a large amount of layered packages. However of course it’s your choice what you layer, but imho the less layered as possible the better.

gcc, git, vim (vi) is in the compose so you don’t need that layered. dnf just isn’t going to work, everything else can either be replaced with flatpak packages or done in toolbox.

Except Chromium, Tweak Tool and zsh.

@gabx Probably just best to set SELInux as permissive, you can still see any possible SELinux errors that way but they won’t block anything.

quite a large amount of layered packages.

I didn’t take care of this large amount, but I will try to make some cleaning, especially those who are in the compose. But I am not a huge fan of flatpack as I found some buggy packages.
Any good hint as about layered packages vs compose?

FWIW, I reproduced this on a VM with SELInux disabled:

$ rpm-ostree status
State: busy
AutomaticUpdates: disabled
Transaction: (null)
Deployments:
● ostree://fedora:fedora/30/x86_64/silverblue
                   Version: 30.20190802.0 (2019-08-02T00:50:50Z)
                    Commit: 26b1f69c89d0769a36a713b61a384d2c55edc76c2f6a30bc54fb1cbfcc0d907d
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9

  ostree://fedora:fedora/30/x86_64/silverblue
                   Version: 30.1.2 (2019-04-25T23:13:10Z)
                    Commit: 982faf58087c9d020780b829d5f24b4e78bd40399b4e4769fc8bc2df9890e301
              GPGSignature: Valid signature by F1D8EC98F241AAF20DF69420EF3C111FCFC659B9

$ sestatus
SELinux status:                 disabled

$ curl -LO https://s3.amazonaws.com/rstudio-ide-build/desktop/fedora28/x86_64/rstudio-1.2.1565-x86_64.rpm
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  115M  100  115M    0     0   376k      0  0:05:12  0:05:12 --:--:--  624k

$ sudo rpm-ostree install rstudio-1.2.1565-x86_64.rpm
[sudo] password for miabbott: 
Checking out tree 26b1f69... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2019-08-02T00:53:01Z
rpm-md repo 'fedora' (cached); generated: 2019-04-25T23:49:41Z
Importing rpm-md... done
Resolving dependencies... done
error: Loading pkgcache branch rpmostree/pkg/rstudio/1.2.1565-1.x86__64: Failed to find metadata key rpmostree.sepolicy (signature s)

When I flipped the system to permissive, the install proceeded:

$ grep permissive /etc/selinux/config 
#     permissive - SELinux prints warnings instead of enforcing.
SELINUX=permissive
$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   permissive
Mode from config file:          permissive
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Memory protection checking:     actual (secure)
Max kernel policy version:      31
$ sudo rpm-ostree install rstudio-1.2.1565-x86_64.rpm
[sudo] password for miabbott: 
Checking out tree 26b1f69... done
Enabled rpm-md repositories: updates fedora
rpm-md repo 'updates' (cached); generated: 2019-08-02T00:53:01Z
rpm-md repo 'fedora' (cached); generated: 2019-04-25T23:49:41Z
Importing rpm-md... done
Resolving dependencies... done
Checking out packages... done
Running pre scripts... done
Running post scripts... done
Running posttrans scripts... done
Writing rpmdb... done
Writing OSTree commit... done
Staging deployment... done
Freed: 539.2 MB (pkgcache branches: 0)
Added:
  rstudio-1.2.1565-1.x86_64
Run "systemctl reboot" to start a reboot

YMMV…not sure how flipping from disabled to permissive is going to affect anyone else’s host.

Following Fedora doc, I enabled and set Selinux permissive. I was then able to install the .rpm package

Added:
  rstudio-1.2.1565-1.x86_64

But 1- maybe shall it be specified somewhere in the docs it is wise to enable Selinux otherwise some troubles ahead with rpm-ostree? 2- I find it sad to force the user to enable Selinux. I love Linux for the freedom it brings to user to control its machine the way it wants.

Btw, great distro and ty for the good work. I love the immutable part of silverblue. First time I run something else than Archlinux on my homebox since nearly 10 years!

SELinux is enabled out of the box and doesn’t reduce any control, the rules usually only get in the way of normal desktop usage when you start to do weird things (e.g. snap).

I wonder if this is a problem with selinux=disabled. Some messages in the /etc/selinux/config hint that selinux=disabled is actually SELinux enabled with no rules loaded, but it seems like adding selinux=0 to the kernel booting command doesn’t help.