Re: Re: System in broken state after dpkg upgrade

[Laurent Bigonville]

Don Armstrong wrote:

That's basically because the policy wasn't fixed in time for the jessie
release (see #756729 and #771484). If you're using selinux on Debian, it
would probably be good to participate in the development of the default
policy and refpolicy packages.


Yes please

Re: System in broken state after dpkg upgrade

[Don Armstrong]

On Wed, 07 Sep 2016, Marko Randjelovic wrote:
> setenforce 0 works, there is no need to reboot the whole system. On
> the other hand, I cannot upgrade selinux policy from jessie because
> there is no selinux-policy-default in jessie, although there is in
> testing.

That's basically because the policy wasn't fixed in time for the jessie
release (see #756729 and #771484). If you're using selinux on Debian, it
would probably be good to participate in the development of the default
policy and refpolicy packages.


-- 
Don Armstrong  https://www.donarmstrong.com

If it jams, force it. If it breaks, it needed replacing anyway.
 -- Lowery's Law

Re: System in broken state after dpkg upgrade

[Marko Randjelovic]

On Wed, 07 Sep 2016 18:24:29 +0200
Sven Joachim  wrote:

> On 2016-09-07 17:13 +0200, Marko Randjelovic wrote:
> 
> > On Wed, 07 Sep 2016 15:17:23 +0200
> > Sven Joachim  wrote:
> >
> >> File a bug against dpkg.  In the meantime, rebooting with the
> >> "selinux=0" kernel parameter should give you a working dpkg.
> >
> > After rebooting with 'selinux=0' I reinstalled dpkg with success:
> >
> > dpkg -i /var/cache/apt/archives/dpkg_deb
> >
> > However, then I wanted to install reportbug and during install received
> > the same error.
> 
> Which is not surprising if you had rebooted without that kernel
> parameter again.  Don Armstrong already gave the right hint: your
> selinux policy does not know about dpkg_script_t, and you should upgrade
> your selinux-policy-* package(s) to the jessie version.  See the
> changelogs of dpkg and refpolicy:

setenforce 0 works, there is no need to reboot the whole system. On the
other hand, I cannot upgrade selinux policy from jessie because there is
no selinux-policy-default in jessie, although there is in testing.

> 
> ,
> | dpkg (1.17.0) unstable; urgency=low
> | [...]
> |   * Execute maintainer scripts in a new execution context, based on the
> | current one and the specific maintainer script filename, and if it's
> | not different to the current one, use "dpkg_script_t" as a fallback.
> `
> 
> ,
> | refpolicy (2:2.20140206-1) unstable; urgency=medium
> | [...]
> | - Allow unconfined user to transition to dpkg_t and transitively to
> |   dpkg_script_t (Closes: #707214)
> `
> 
> See https://bugs.debian.org/707214 for more information.
> 
> Cheers,
>Sven
> 



-- 
http://markorandjelovic.hopto.org

"The only thing necessary for the triumph of evil is that good people
do nothing." -- Edmund Burke

Re: System in broken state after dpkg upgrade

[Sven Joachim]

On 2016-09-07 17:13 +0200, Marko Randjelovic wrote:

> On Wed, 07 Sep 2016 15:17:23 +0200
> Sven Joachim  wrote:
>
>> File a bug against dpkg.  In the meantime, rebooting with the
>> "selinux=0" kernel parameter should give you a working dpkg.
>
> After rebooting with 'selinux=0' I reinstalled dpkg with success:
>
> dpkg -i /var/cache/apt/archives/dpkg_deb
>
> However, then I wanted to install reportbug and during install received
> the same error.

Which is not surprising if you had rebooted without that kernel
parameter again.  Don Armstrong already gave the right hint: your
selinux policy does not know about dpkg_script_t, and you should upgrade
your selinux-policy-* package(s) to the jessie version.  See the
changelogs of dpkg and refpolicy:

,
| dpkg (1.17.0) unstable; urgency=low
| [...]
|   * Execute maintainer scripts in a new execution context, based on the
| current one and the specific maintainer script filename, and if it's
| not different to the current one, use "dpkg_script_t" as a fallback.
`

,
| refpolicy (2:2.20140206-1) unstable; urgency=medium
| [...]
| - Allow unconfined user to transition to dpkg_t and transitively to
|   dpkg_script_t (Closes: #707214)
`

See https://bugs.debian.org/707214 for more information.

Cheers,
   Sven

Re: System in broken state after dpkg upgrade

[Don Armstrong]

On Wed, 07 Sep 2016, Marko Randjelovic wrote:
> I have mixed wheezy/jessie system. When tried to upgrade cmake from
> jessie, apt pulled other packages including dpkg which gave error
> during configure:
[...]
> dpkg (subprocess): cannot set security execution context for maintainer 
> script: Invalid argument
> dpkg: error processing package dpkg (--configure):
>  subprocess installed post-installation script returned error exit status 2
> Errors were encountered while processing:
>  dpkg

You have selinux enabled, and for whatever reason, setting the
appropriate security context for the maintainer script, likely because
you haven't upgraded refpolicy to properly support dpkg_script_t or
other set up the selinux policy correctly.

Fix that, and you should be able to complete the install.

-- 
Don Armstrong  https://www.donarmstrong.com

The whole modern world has divided itself into Conservatives and
Progressives. The business of Progressives is to go on making
mistakes. The business of the Conservatives is to prevent the mistakes
from being corrected.
 -- G. K. Chesterton "Illustrated London News (1924-04-19)"

Re: System in broken state after dpkg upgrade

[Marko Randjelovic]

On Wed, 07 Sep 2016 15:17:23 +0200
Sven Joachim  wrote:

> File a bug against dpkg.  In the meantime, rebooting with the
> "selinux=0" kernel parameter should give you a working dpkg.

After rebooting with 'selinux=0' I reinstalled dpkg with success:

dpkg -i /var/cache/apt/archives/dpkg_deb

However, then I wanted to install reportbug and during install received
the same error.


root@debian:~# apt-get install reportbug
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following extra packages will be installed:
  python-debian python-debianbts python-fpconst python-reportbug python-soappy
Suggested packages:
  postfix exim4 mail-transport-agent debconf-utils debsums dlocate
  python-urwid python-vte python-gtkspell emacs22-bin-common
  emacs23-bin-common claws-mail
Recommended packages:
  python-apt
The following NEW packages will be installed:
  python-debian python-debianbts python-fpconst python-reportbug python-soappy
  reportbug
0 upgraded, 6 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B/468 kB of archives.
After this operation, 1,819 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Selecting previously unselected package python-debian.
(Reading database ... 115166 files and directories currently installed.)
Preparing to unpack .../python-debian_0.1.21_all.deb ...
Unpacking python-debian (0.1.21) ...
Selecting previously unselected package python-fpconst.
Preparing to unpack .../python-fpconst_0.7.2-5_all.deb ...
Unpacking python-fpconst (0.7.2-5) ...
Selecting previously unselected package python-soappy.
Preparing to unpack .../python-soappy_0.12.0-4_all.deb ...
Unpacking python-soappy (0.12.0-4) ...
Selecting previously unselected package python-debianbts.
Preparing to unpack .../python-debianbts_1.11_all.deb ...
Unpacking python-debianbts (1.11) ...
Selecting previously unselected package python-reportbug.
Preparing to unpack .../python-reportbug_6.4.4+deb7u1_all.deb ...
Unpacking python-reportbug (6.4.4+deb7u1) ...
Selecting previously unselected package reportbug.
Preparing to unpack .../reportbug_6.4.4+deb7u1_all.deb ...
Unpacking reportbug (6.4.4+deb7u1) ...
Processing triggers for desktop-file-utils (0.20-0.1) ...
dpkg (subprocess): cannot set security execution context for maintainer script: 
Invalid argument
dpkg: error processing package desktop-file-utils (--unpack):
 subprocess installed post-installation script returned error exit status 2
Processing triggers for man-db (2.7.0.2-5) ...
dpkg (subprocess): cannot set security execution context for maintainer script: 
Invalid argument
dpkg: error processing package man-db (--unpack):
 subprocess installed post-installation script returned error exit status 2
Errors were encountered while processing:
 desktop-file-utils
 man-db
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@debian:~# setenforce 0
root@debian:~# apt-get install reportbug
Reading package lists... Done
Building dependency tree   
Reading state information... Done
reportbug is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
8 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Do you want to continue? [Y/n] 
Setting up man-db (2.7.0.2-5) ...
Updating database of manual pages ...
Setting up python-debian (0.1.21) ...
Setting up python-fpconst (0.7.2-5) ...
Setting up python-soappy (0.12.0-4) ...
Setting up python-debianbts (1.11) ...
Setting up python-reportbug (6.4.4+deb7u1) ...
Setting up reportbug (6.4.4+deb7u1) ...
Setting up desktop-file-utils (0.20-0.1) ...
Processing triggers for python-support (1.0.15) ...
root@debian:~# apt-cache policy libselinux1
libselinux1:
  Installed: 2.3-2
  Candidate: 2.3-2
  Version table:
 2.5-3 0
350 http://ftp.de.debian.org/debian/ testing/main amd64 Packages
 *** 2.3-2 0
450 http://ftp.de.debian.org/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status
 2.1.9-5 0
500 cdrom://[Debian GNU/Linux 7.8.0 _Wheezy_ - Official amd64 DVD 
Binary-1 20150110-14:43]/ wheezy/main amd64 Packages
500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages
root@debian:~# apt-cache policy libpcre3
libpcre3:
  Installed: 2:8.35-3.3+deb8u4
  Candidate: 2:8.35-3.3+deb8u4
  Version table:
 2:8.39-2 0
350 http://ftp.de.debian.org/debian/ testing/main amd64 Packages
 *** 2:8.35-3.3+deb8u4 0
450 http://ftp.de.debian.org/debian/ jessie/main amd64 Packages
100 /var/lib/dpkg/status
 1:8.30-5 0
500 cdrom://[Debian GNU/Linux 7.8.0 _Wheezy_ - Official amd64 DVD 
Binary-1 20150110-14:43]/ wheezy/main amd64 Packages
500 http://ftp.de.debian.org/debian/ wheezy/main amd64 Packages

-- 
http://markorandjelovic.hopto.org

"The only thing necessary for the triumph of evil is that good people
do nothing." -- Edmund Burke

Re: System in broken state after dpkg upgrade

[Marko Randjelovic]

On Wed, 07 Sep 2016 15:17:23 +0200
Sven Joachim  wrote:

> This might be a bug in dpkg or in one of the libraries it depends on
> (libselinux1 comes to mind).  What are the versions of libselinux1 and
> libpcre3 on your system?

They are both latest jessie versions.

-- 
http://markorandjelovic.hopto.org

"The only thing necessary for the triumph of evil is that good people
do nothing." -- Edmund Burke

Re: System in broken state after dpkg upgrade

[Sven Joachim]

On 2016-09-07 10:16 +0200, Marko Randjelovic wrote:

> I have mixed wheezy/jessie system.

This is not really recommended, since your particular combination of
packages might not have been tested by anyone.  Having all packages
from the same distribution avoids this source of problems.

> When tried to upgrade cmake from
> jessie, apt pulled other packages including dpkg which gave error
> during configure:

> Setting up dpkg (1.17.27) ...
> Installing new version of config file /etc/cron.daily/dpkg ...
> dpkg (subprocess): cannot set security execution context for maintainer 
> script: Invalid argument
> dpkg: error processing package dpkg (--configure):
>  subprocess installed post-installation script returned error exit status 2
> Errors were encountered while processing:
>  dpkg

This might be a bug in dpkg or in one of the libraries it depends on
(libselinux1 comes to mind).  What are the versions of libselinux1 and
libpcre3 on your system?

> Please help.

File a bug against dpkg.  In the meantime, rebooting with the
"selinux=0" kernel parameter should give you a working dpkg.

Cheers,
   Sven

System in broken state after dpkg upgrade

[Marko Randjelovic]

I have mixed wheezy/jessie system. When tried to upgrade cmake from
jessie, apt pulled other packages including dpkg which gave error
during configure:


root@debian:~# apt-get -t jessie install cmake
Reading package lists... Done
Building dependency tree   
Reading state information... Done
The following package was automatically installed and is no longer required:
  libxmlrpc-core-c3
Use 'apt-get autoremove' to remove it.
The following extra packages will be installed:
  cmake-data dpkg fontconfig install-info libarchive13 libpipeline1 man-db
Suggested packages:
  codeblocks eclipse ninja-build lrzip groff
The following NEW packages will be installed:
  libarchive13
The following packages will be upgraded:
  cmake cmake-data dpkg fontconfig install-info libpipeline1 man-db
7 upgraded, 1 newly installed, 0 to remove and 791 not upgraded.
Need to get 8,200 kB of archives.
After this operation, 3,399 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://security.debian.org/ jessie/updates/main fontconfig amd64 
2.11.0-6.3+deb8u1 [403 kB]
Get:2 http://ftp.de.debian.org/debian/ jessie/main install-info amd64 
5.2.0.dfsg.1-6 [193 kB]
Get:3 http://ftp.de.debian.org/debian/ jessie/main libpipeline1 amd64 1.4.0-1 
[27.9 kB]
Get:4 http://ftp.de.debian.org/debian/ jessie/main man-db amd64 2.7.0.2-5 
[1,000 kB]
Get:5 http://security.debian.org/ jessie/updates/main libarchive13 amd64 
3.1.2-11+deb8u2 [270 kB]
Get:6 http://ftp.de.debian.org/debian/ jessie/main dpkg amd64 1.17.27 [2,994 kB]
Get:7 http://ftp.de.debian.org/debian/ jessie/main cmake amd64 3.0.2-1 [2,384 
kB]
Get:8 http://ftp.de.debian.org/debian/ jessie/main cmake-data all 3.0.2-1 [929 
kB]
Fetched 8,200 kB in 9s (845 kB/s)  
Preconfiguring packages ...
(Reading database ... 115145 files and directories currently installed.)
Preparing to replace fontconfig 2.9.0-7.1+deb7u1 (using 
.../fontconfig_2.11.0-6.3+deb8u1_amd64.deb) ...
Unpacking replacement fontconfig ...
Preparing to replace install-info 4.13a.dfsg.1-10 (using 
.../install-info_5.2.0.dfsg.1-6_amd64.deb) ...
Unpacking replacement install-info ...
Processing triggers for man-db ...
Setting up install-info (5.2.0.dfsg.1-6) ...
(Reading database ... 115145 files and directories currently installed.)
Preparing to replace libpipeline1:amd64 1.2.1-1 (using 
.../libpipeline1_1.4.0-1_amd64.deb) ...
Unpacking replacement libpipeline1:amd64 ...
Preparing to replace man-db 2.6.2-1 (using .../man-db_2.7.0.2-5_amd64.deb) ...
Unpacking replacement man-db ...
Preparing to replace dpkg 1.16.18 (using .../dpkg_1.17.27_amd64.deb) ...
Unpacking replacement dpkg ...
Processing triggers for mime-support ...
Setting up dpkg (1.17.27) ...
Installing new version of config file /etc/cron.daily/dpkg ...
dpkg (subprocess): cannot set security execution context for maintainer script: 
Invalid argument
dpkg: error processing package dpkg (--configure):
 subprocess installed post-installation script returned error exit status 2
Errors were encountered while processing:
 dpkg
E: Sub-process /usr/bin/dpkg returned an error code (1)
root@debian:~# dpkg --configure -a
Setting up libpipeline1:amd64 (1.4.0-1) ...
dpkg (subprocess): cannot set security execution context for maintainer script: 
Invalid argument
dpkg: error processing package libpipeline1:amd64 (--configure):
 subprocess installed post-installation script returned error exit status 2
Setting up dpkg (1.17.27) ...
dpkg (subprocess): cannot set security execution context for maintainer script: 
Invalid argument
dpkg: error processing package dpkg (--configure):
 subprocess installed post-installation script returned error exit status 2
dpkg: dependency problems prevent configuration of man-db:
 man-db depends on libpipeline1 (>= 1.3.0); however:
  Package libpipeline1:amd64 is not configured yet.
 man-db depends on dpkg (>= 1.16.1~); however:
  Package dpkg is not configured yet.

dpkg: error processing package man-db (--configure):
 dependency problems - leaving unconfigured
dpkg: dependency problems prevent configuration of fontconfig:
 fontconfig depends on dpkg (>= 1.16.1); however:
  Package dpkg is not configured yet.

dpkg: error processing package fontconfig (--configure):
 dependency problems - leaving unconfigured
Errors were encountered while processing:
 libpipeline1:amd64
 dpkg
 man-db
 fontconfig
root@debian:~# apt-get -f install
Reading package lists... Done
Building dependency tree   
Reading state information... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
4 not fully installed or removed.
After this operation, 0 B of additional disk space will be used.
Setting up dpkg (1.17.27) ...
dpkg (subprocess): cannot set security execution context for maintainer script: 
Invalid argument
dpkg: error processing package dpkg (--configure):
 subprocess installed post-installation script returned error exit status 2
Setting up libpipeline1:amd64 (1.4.0-1)