I believe there is a subtle SELinux policy bug that comes from the fact that RPMs that install to /opt instead get installed to /usr/lib/opt in Silverblue (for ostree reasons).
/opt
/usr/lib/opt
ostree
This causes a subtle policy bug because the expected SELinux context type for files installed to /opt is usr_t:
usr_t
# semanage fcontext -l | grep -E '^/opt(/\.\* | )' /opt all files system_u:object_r:usr_t:s0 /opt/.* all files system_u:object_r:usr_t:s0
However, since they get installed to /usr/lib instead, they pick up this rule:
/usr/lib
# semanage fcontext -l | grep '^/usr/lib/\.\* ' /usr/lib/.* all files system_u:object_r:lib_t:s0
This causes RPMs which have files that install to /opt and rely on them having a usr_t context type to run into issues.
The solution, I think, would be to add a rule like so:
/usr/lib/opt all files system_u:object_r:usr_t:s0 /usr/lib/opt/.* all files system_u:object_r:usr_t:s0
Locally, I work around it by calling:
semanage fcontext -a -t usr_t '/usr/lib/opt(/.*)?'
Submitted the issue here as well: https://github.com/fedora-silverblue/issue-tracker/issues/32
Metadata Update from @nlordell: - Issue status updated to: Closed (was: Open)
Metadata Update from @nlordell: - Issue status updated to: Open (was: Closed)
@nlordell you probably need to open an issue against rpm-ostree upstream https://github.com/coreos/rpm-ostree/issues/
Opened an issue upstream
Login to comment on this ticket.