Xpra: Ticket #399: CentOS 6.3 package install error: "can't apply partial context to unlabeled file"

The following error when installing the CentOS 6.3 package.

The message varies slightly in newer 0.9.x packages.

Note that my test is on Scientific Linux 6.3 (a clone of RedHat 6.3 and CentOS 6.3). I tested multiple machines with the same result. I'm afraid I don't have an actual CentOS 6.3 available to test.

The same error happens on upgrade, as well as install (below)

After install, things seem to be working ok, but presumably this is a bug.

---

$ sudo rpm -ivh xpra-0.9.8-1.el6_3.x86_64.rpm
warning: xpra-0.9.8-1.el6_3.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f18ad6bb: NOKEY
Preparing...                ########################################### [100%]
   1:xpra                   ########################################### [100%]
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/vpx/codec.so'
/var/tmp/rpm-tmp.UmKUdN: line 4: fg: no job control
/var/tmp/rpm-tmp.UmKUdN: line 5: fg: no job control
warning: %post(xpra-0.9.8-1.el6_3.x86_64) scriptlet failed, exit status 1

---

$ rpm -qf /usr/lib/python2.6/site-packages/xpra/x264/codec.so
xpra-0.9.8-1.el6_3.x86_64

---

$ sudo rpm -e xpra
$ sudo rpm -ivh xpra-0.9.0-25.el6.x86_64.rpm
warning: xpra-0.9.0-25.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f18ad6bb: NOKEY
Preparing...                ########################################### [100%]
   1:xpra                   ########################################### [100%]
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/vpx/codec.so'
warning: %post(xpra-0.9.0-25.el6.x86_64) scriptlet failed, exit status 1

---

$ sudo rpm -e xpra
$ sudo rpm -ivh xpra-0.8.8-1.el6.x86_64.rpm
warning: xpra-0.8.8-1.el6.x86_64.rpm: Header V4 DSA/SHA1 Signature, key ID f18ad6bb: NOKEY
Preparing...                ########################################### [100%]
   1:xpra                   ########################################### [100%]

---

$ cat /etc/redhat-release
Scientific Linux release 6.3 (Carbon)


Thu, 01 Aug 2013 14:31:29 GMT - Antoine Martin: owner, description changed

The chcon warnings are related to SELinux:

chcon -t texrel_shlib_t %{python_sitelib}/xpra/x264/codec.so
chcon -t texrel_shlib_t %{python_sitelib}/xpra/vpx/codec.so

Can you please try running these two commands to see what the exact problem is? I've just tried it on CentOS 6.4 and didn't get any such errors during installation. (you will need to replace python_sitelib with your arch specific location)


The other two come from these two lines in the spec file:

update-desktop-database &> /dev/null || :
touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :

No idea why that causes problems, those were suggested as being required for proper packaging (see Packaging Scriptlet Snippets)... But since I was getting those same errors on CentOS 6.4, I have now removed this crap from the non-Fedora packaging as of r4039. (this will be part of 0.10.0 - I may backport if there is another 0.9.x release)


Thu, 01 Aug 2013 15:12:39 GMT - Mark Hills:

Thanks. Not having much luck, I know little about SELinux. But I did try and use the 'full' context name and that did not help. I cannot find a way to, maybe, 'label' the file(?)

Here are all my attempts below.


$ sudo chcon -v -t texrel_shlib_t /usr/lib/python2.6/site-packages/xpra/x264/codec.so
changing security context of `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'

$ ls -l /usr/lib/python2.6/site-packages/xpra/x264/codec.so
-rwxr-xr-x 1 root root 12469260 Jul 29 12:07 /usr/lib/python2.6/site-packages/xpra/x264/codec.so

$ ls -Z /usr/lib/python2.6/site-packages/xpra/x264/codec.so
-rwxr-xr-x root root ?                                /usr/lib/python2.6/site-packages/xpra/x264/codec.so

$ file /usr/lib/python2.6/site-packages/xpra/x264/codec.so
/usr/lib/python2.6/site-packages/xpra/x264/codec.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped

$ sudo chcon -v -t system_u:object_r:texrel_shlib_t /usr/lib/python2.6/site-packages/xpra/x264/codec.so
changing security context of `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'
chcon: can't apply partial context to unlabeled file `/usr/lib/python2.6/site-packages/xpra/x264/codec.so'

Thu, 01 Aug 2013 15:26:45 GMT - Antoine Martin:

Are you even running with SELinux enabled and with a labelled filesystem?

From what I am reading, you are probably not and that is why the label cannot be set.


Thu, 01 Aug 2013 15:33:46 GMT - Mark Hills:

You're right, SELinux has not been enabled. Sorry, that would have been a key piece of information.

Tho I've not seen this error from any other RPM, or other .so files. Presumable if xpra is special it needs to handle this in some way. (eg. set the attribute on the RPM file rather than script the action afterwards? Just a guess, I am not familiar with SELinux.

This has already been reported on the mailing list, with a bit more info (no replies)

http://lists.devloop.org.uk/pipermail/shifter-users/2013-April/000482.html


Thu, 01 Aug 2013 15:39:56 GMT - Antoine Martin: status changed; resolution set

Actually I found the same answer in that thread:

Can you update the script to take into account the case where SELinux is diasabled and files don't have any security context assigned to them?

I'm not sure how, or if it is even worth doing.

Thank you, I'm relieved. If this is the only task that the script handles, then it wouldn't be worth the effort to go check for SELinux.



I guess we could add 2>/dev/null to ignore errors, but I'm not keen on it at all: those that have SELinux enabled should see the errors, if any, and those that have disabled SELinux... should remember they have.


Thu, 01 Aug 2013 15:59:03 GMT - Mark Hills:

I'm not keen on 2>/dev/null either, that's a hack, agreed.

I guess I'm just confused for never seeing this error before on any other package.

So I suppose it should just do what the other packages do. If they error in the same way then it's fine. I'm afraid I'm out of time to look for this myself.

I assume xpra is explicitly doing something specialist with SELinux.


Thu, 01 Aug 2013 16:02:07 GMT - Antoine Martin:

I assume xpra is explicitly doing something specialist with SELinux.


We are: the x264 and vpx libraries in versions of CentOS (and clones) older than 6.4 are either not available or just too old to work, so we ship a statically linked codec - which requires special labelling to work with SELinux. Easiest fix is to upgrade to 6.4 - another reason why we are unlikely to change anything.


Sat, 23 Jan 2021 04:54:17 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/399