Issue

What were you trying to do that didn't work? ======================= Issue happen when upgrading from selinux-policy-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10 to selinux-policy-42.1.7-1.el10 selinux-policy-targeted-42.1.7-1.el10 when usbguard and usbguard-selinux is installed on system. Issue does not happen when downgrading from selinux-policy-42.1.7-1.el10 selinux-policy-targeted-42.1.7-1.el10 to selinux-policy-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10 What is the impact of this issue to you? ======================= Selinux relabeling is unsuccessful, and after rebooting, the root filesystem is mounted as a read-only filesystem. Please provide the package NVR for which the bug is seen: ======================= selinux-policy-42.1.7-1.el10.noarch selinux-policy-targeted-42.1.7-1.el10.noarch usbguard-1.1.3-6.el10.x86_64 usbguard-selinux-1.1.3-6.el10.noarch How reproducible is this bug?: ======================= Everytime Steps to reproduce ======================= 1] Remove usbguard-selinux package : # dnf remove usbguard-selinux # ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon drwx------. 2 root root system_u:object_r:unlabeled_t:s0 6 Feb  6  2025 /var/log/usbguard 2] Downgrade selinux package : # dnf downgrade selinux-policy-40.13.26-1.el10 selinux-policy-devel-40.13.26-1.el10 selinux-policy-doc-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10 # dnf reinstall selinux-policy-40.13.26-1.el10 selinux-policy-devel-40.13.26-1.el10 selinux-policy-doc-40.13.26-1.el10 selinux-policy-targeted-40.13.26-1.el10 # ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard -rwxr-xr-x. 1 root root system_u:object_r:bin_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon drwx------. 2 root root system_u:object_r:var_log_t:s0 6 Feb  6  2025 /var/log/usbguard # 3] Install usbguard-selinux package : # dnf install usbguard-selinux-1.1.3-6.el10 # ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard -rwxr-xr-x. 1 root root system_u:object_r:usbguard_exec_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon drwx------. 2 root root system_u:object_r:usbguard_log_t:s0 6 Feb  6  2025 /var/log/usbguard # 4] Upgrade selinux package and observe selinux-policy-targeted fail with  POSTTRANS scriptlet returned a non-zero exit code while relabelling paths. # dnf upgrade selinux-policy-42.1.7-1.el10 selinux-policy-devel-42.1.7-1.el10 selinux-policy-doc-42.1.7-1.el10 selinux-policy-targeted-42.1.7-1.el10 Updating Subscription Management repositories. Last metadata expiration check: 0:48:24 ago on Fri 16 Jan 2026 09:58:05 AM IST. Dependencies resolved. ==================================================================================================================================================  Package Architecture Version Repository Size ================================================================================================================================================== Upgrading:  selinux-policy noarch 42.1.7-1.el10 rhel-10-for-x86_64-baseos-rpms 50 k  selinux-policy-devel noarch 42.1.7-1.el10 rhel-10-for-x86_64-appstream-rpms 1.5 M  selinux-policy-doc noarch 42.1.7-1.el10 rhel-10-for-x86_64-baseos-rpms 2.6 M  selinux-policy-targeted noarch 42.1.7-1.el10 rhel-10-for-x86_64-baseos-rpms 6.2 M Transaction Summary ================================================================================================================================================== Upgrade  4 Packages Total download size: 10 M Is this ok [y/N]: y Downloading Packages: (1/4): selinux-policy-42.1.7-1.el10.noarch.rpm 82 kB/s |  50 kB 00:00 (2/4): selinux-policy-devel-42.1.7-1.el10.noarch.rpm 1.6 MB/s | 1.5 MB 00:00 (3/4): selinux-policy-doc-42.1.7-1.el10.noarch.rpm 2.0 MB/s | 2.6 MB 00:01 (4/4): selinux-policy-targeted-42.1.7-1.el10.noarch.rpm 3.6 MB/s | 6.2 MB 00:01 -------------------------------------------------------------------------------------------------------------------------------------------------- Total 4.4 MB/s |  10 MB 00:02 Running transaction check Transaction check succeeded. Running transaction test Transaction test succeeded. Running transaction Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch 1/1 Preparing : 1/1 Running scriptlet: selinux-policy-42.1.7-1.el10.noarch 1/8 Upgrading : selinux-policy-42.1.7-1.el10.noarch 1/8 Running scriptlet: selinux-policy-42.1.7-1.el10.noarch 1/8 Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch 2/8 Upgrading : selinux-policy-targeted-42.1.7-1.el10.noarch 2/8 Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch 2/8 Upgrading : selinux-policy-devel-42.1.7-1.el10.noarch 3/8 Running scriptlet: selinux-policy-devel-42.1.7-1.el10.noarch 3/8 Upgrading : selinux-policy-doc-42.1.7-1.el10.noarch 4/8 Cleanup : selinux-policy-doc-40.13.26-1.el10.noarch 5/8 Cleanup : selinux-policy-devel-40.13.26-1.el10.noarch 6/8 Running scriptlet: selinux-policy-40.13.26-1.el10.noarch 7/8 Cleanup : selinux-policy-40.13.26-1.el10.noarch 7/8 Running scriptlet: selinux-policy-40.13.26-1.el10.noarch 7/8 Cleanup : selinux-policy-targeted-40.13.26-1.el10.noarch 8/8 Running scriptlet: selinux-policy-targeted-40.13.26-1.el10.noarch 8/8 Running scriptlet: selinux-policy-targeted-42.1.7-1.el10.noarch 8/8  /usr/sbin/restorecon: Could not set context for /usr/bin/conmon:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/bin/podman:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/bin/osbuild:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/bin/buildah:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/bin/docker:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/bin/crun:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/bin/swtpm:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/sbin/nbdkit:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon:  Invalid argument /usr/sbin/restorecon: Could not set context for /usr/sbin/usbguard-daemon:  Invalid argument warning: %posttrans(selinux-policy-targeted-42.1.7-1.el10.noarch) scriptlet failed, exit status 255 Error in POSTTRANS scriptlet in rpm package selinux-policy-targeted Running scriptlet: selinux-policy-targeted-40.13.26-1.el10.noarch 8/8  Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/inactive.issue: Invalid argument Unable to fix SELinux security context of /run/cockpit/inactive.issue: Invalid argument Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/active.issue: Invalid argument Unable to fix SELinux security context of /run/cockpit/active.issue: Invalid argument Failed to set SELinux security context system_u:object_r:cockpit_var_run_t:s0 for /run/cockpit/issue: Invalid argument Unable to fix SELinux security context of /run/cockpit/issue: Invalid argument Failed to set SELinux security context system_u:object_r:usbguard_log_t:s0 for /var/log/usbguard: Invalid argument Unable to fix SELinux security context of /var/log/usbguard: Invalid argument Installed products updated. Upgraded: selinux-policy-42.1.7-1.el10.noarch selinux-policy-devel-42.1.7-1.el10.noarch selinux-policy-doc-42.1.7-1.el10.noarch selinux-policy-targeted-42.1.7-1.el10.noarch Complete! #  # ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon drwx------. 2 root root system_u:object_r:unlabeled_t:s0 6 Feb  6  2025 /var/log/usbguard # 5] After rebooting, the root filesystem is mounted as a read-only filesystem. # uptime  10:48:51 up 1 min,  2 users,  load average: 0.03, 0.01, 0.00 #  # ls -ldZ  /usr/sbin/usbguard* /var/log/usbguard -rwxr-xr-x. 1 root root system_u:object_r:unlabeled_t:s0 208376 Feb  6  2025 /usr/sbin/usbguard-daemon drwx------. 2 root root system_u:object_r:unlabeled_t:s0 6 Feb  6  2025 /var/log/usbguard # mount /dev/mapper/rhel-root on / type xfs (ro,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota) Workaround : ============== mount root filesystem in rw or boot the system with selinux=0 Reinstall selinux-policy-targeted-42.1.7-1.el10 Reboot the system . Expected results: ============== Upgrade should happed without issue.

Release Notes

No. of Comments

Resolution

Unresolved