[SOLVED] Tumbleweed update
2mon 1d ago by piefed.social/u/steel_for_humans in opensuse
Updating from Tumbleweed 20260331 to 20260415, zypper dup fails at accountsservice :(
error: lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed
error: unpacking of archive failed on file /usr/share/accountsservice: cpio: (error 0x2)
error: accountsservice-23.13.9-11.3.x86_64: install failed
error: accountsservice-23.13.9-11.2.x86_64: erase skipped
(557/916) Installing: accountsservice-23.13.9-11.3.x86_64 ..................................................................................................[error]
Installation of accountsservice-23.13.9-11.3.x86_64 failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): a
Warning: %posttrans and %transfiletrigger scripts are not executed when aborting!
What should I do?
- Remember that a rolling distro is bleeding edge. That means that from time to time you WILL encounter some issues.
- Tumbleweed is (somewhat) unique in its approach to rolling. The quality checks that occur on openQA partially mitigate failures by withholding the next distro upgrades until they can be reviewed. However, the openSUSE devs are not perfect, openQA is not perfect, and some times rolling forward with a known issues is deemed acceptable.
- This is where btrfs comes in. The answer to your question of what to do if zypper dup fails is two part: A) roll back to the automatic "pre" snapshot taken by snapper before the dup. B) Just wait for the devs to fix the issue!
- If you are impatient, you can check for progress on a specific issue by searching the issue on https://bugzilla.opensuse.org/,or chat up the community either on the forums or on the matrix space in the support room.
Feel free to ask questions anytime!
At the moment I'm thinking of hopping to Debian 😅 I ran Fedora Workstation for a few weeks out of an external drive and then openSUSE Tumblewed for a couple weeks (this time on my main system drive) and thought I was good, never had any problems with updating the system. And today is my first distro update since I moved to openSUSE full-time and I get this :( Perhaps I am not ready for a rolling distro.
btw did Slowroll get systemd-boot already?
I know people are hating AI, but Opus again helped me. My system is fixed and updated. It diagnosed the root cause and told me how to fix it and I can attest that it worked. Below you can find a writeup on what was done.
When working with AI I check the commands I don't understand, consult the tldr pages and man pages or ask it to further explain what it wants to do and why. I also have Snapper and Restic backup so I wasn't too worried about screwing things up.
However, if system updates can fail like this and I'm not at fault (I wasn't), then I think Tumbleweed or rolling distros in general are not for me. I cannot keep asking AI for help, SELinux, labeling something in the filesystem -- I don't even know what that means. It was rough today and it gave me a scare. I am not ready to troubleshoot such advanced concepts as a Linux newbie, so I think I'll bail and switch to something else.
Fixing zypper dup failure on openSUSE Tumbleweed with SELinux
A debugging session covering an accountsservice RPM install failure during
zypper dup, caused by a stale compiled SELinux policy in the kernel.
The problem
zypper dup failed on a single package:
error: lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument
error: Plugin selinux: hook fsm_file_prepare failed
error: unpacking of archive failed on file /usr/share/accountsservice: cpio: (error 0x2)
error: accountsservice-23.13.9-11.3.x86_64: install failed
error: accountsservice-23.13.9-11.2.x86_64: erase skipped
( 4/360) Installing: accountsservice-23.13.9-11.3.x86_64 ..................................................................................................[error]
Installation of accountsservice-23.13.9-11.3.x86_64 failed:
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.
Abort, retry, ignore? [a/r/i] (a): a
Warning: %posttrans and %transfiletrigger scripts are not executed when aborting!
Problem occurred during or after installation or removal of packages:
Installation has been aborted as directed.
Diagnosis
The key line is:
lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument
RPM's SELinux plugin is trying to apply the label accountsd_share_t to
/usr/share/accountsservice, and the kernel returns EINVAL. This typically
means one of:
- The filesystem doesn't support the xattrs SELinux needs, or
- The SELinux policy loaded in the kernel doesn't know the type being applied.
The %posttrans warning at the end is a consequence — it means other packages
queued in the transaction had their post-transaction scripts skipped, so the
system is in a partially-upgraded state.
Gathering facts
rpm -q selinux-policy
# → selinux-policy-20260410-1.1.noarch
zypper info selinux-policy
# → Status: up-to-date, Version: 20260410-1.1
sudo getenforce
# → Enforcing
sudo semanage module -l | grep accountsd
# → accountsd 100 pp
sudo seinfo -t accountsd_share_t
# → Types: 0 ← smoking gun
df -T /usr/share/accountsservice
# → /dev/mapper/cr_root btrfs ...
getfattr -d -m - /usr/share/accountsservice
# → security.selinux="system_u:object_r:usr_t:s0"
sudo ausearch -ts recent -m AVC
# → AVCs related to snapper_sdbootutil_plugin_t, all permissive=1
# → unrelated to this failure
What the results mean
selinux-policyon disk is current (20260410-1.1).- The
accountsdmodule is installed at priority 100. - But
seinfo -t accountsd_share_treturnsTypes: 0— the loaded kernel
policy does not know this type. - Filesystem is Btrfs with xattrs working; the existing label
usr_tis set
fine, so it's not a filesystem support issue. - The AVCs in the audit log are unrelated noise from the aborted dup — all
permissive=1, from sdbootutil housekeeping.
Root cause
The selinux-policy RPM on disk defines accountsd_share_t, but the kernel
is running an older compiled policy that predates that type. When RPM's
SELinux plugin tried to apply accountsd_share_t, the kernel said "I don't
know what that is" → EINVAL.
This usually happens when selinux-policy was updated on disk in an earlier
transaction, but the policy store wasn't recompiled and reloaded — likely
because a %posttrans script that would have called semodule -B was
skipped during a prior interrupted transaction.
Fix
1. Rebuild and reload the policy store
sudo semodule -B
This forces the modular policy (including accountsd) to be recompiled from
the on-disk modules and loaded into the kernel. It can take 30–90 seconds.
2. Verify the type is now known
sudo seinfo -t accountsd_share_t
# → Types: 1
3. Retry the dup
sudo zypper dup
The accountsservice install should now succeed. Because the first attempt
aborted with %posttrans scripts skipped, zypper dup may have extra
cleanup/reinstall work to do — that's expected.
4. Regenerate TPM2 PCR predictions
During the dup, sdbootutil emitted warnings like:
NVIndex policy created
WARNING: Volume key cannot be extracted. Dropping PCR 15
WARNING: File measure-pcr-prediction should be updated
WARNING: Call sdbootutil update-predictions --measure-pcr
find: '/var/lib/pcrlock.d/': No such file or directory
Breakdown:
Volume key cannot be extracted. Dropping PCR 15— expected and
harmless. sdbootutil binds without PCR 15 when the volume key isn't
available; unlock still works via other PCRs.find: '/var/lib/pcrlock.d/': No such file or directory— ties back to
one of the AVCs we saw: the snapper sdbootutil plugin removedpcrlock.d
during cleanup.permissive=1means SELinux didn't block it; this is a
plugin ordering issue, not an SELinux problem.WARNING: Call sdbootutil update-predictions --measure-pcr— the PCR
prediction file needs regenerating before the next boot, or TPM2 may fail
to release LUKS keys and you'll fall back to the passphrase prompt.
Run the suggested command once dup completes cleanly:
sudo sdbootutil update-predictions --measure-pcr
5. Schedule a filesystem relabel and reboot
The on-disk label on /usr/share/accountsservice was still the generic
usr_t, so after a policy jump it's worth reconciling all labels:
sudo fixfiles onboot
sudo reboot
fixfiles onboot schedules a full relabel at next boot — takes a few minutes
during boot but is the cleanest way to get labels in sync with the updated
policy.
Full sequence
sudo semodule -B # rebuild policy
sudo seinfo -t accountsd_share_t # verify: Types: 1
sudo zypper dup # finish the dup
sudo sdbootutil update-predictions --measure-pcr # regen TPM predictions
sudo fixfiles onboot # schedule relabel
sudo reboot
Safety notes
- Before rebooting, confirm the LUKS passphrase is accessible (in a password
manager). TPM2 auto-unlock is a convenience layer on top of the passphrase
— if predictions are wrong, the system falls back to the passphrase rather
than locking you out. - openSUSE's Btrfs + snapper setup means a pre-dup snapshot exists. Confirm
withsudo snapper list. If anything goes sideways, an older snapshot can
be booted from systemd-boot. - If the TPM2 unlock fails at first boot after dup, enter the passphrase and
re-runsudo sdbootutil update-predictions --measure-pcronce booted —
predictions sometimes need recalculating against the actual booted
measurements.
Key takeaways
lsetfilecon ... Invalid argumentduring an RPM install = the kernel
policy doesn't know a type the package is trying to apply. Fix with
semodule -Bto recompile and reload.seinfo -t <type>returningTypes: 0for a type you expect to exist is
the definitive signal that the loaded policy is stale relative to what's on
disk.- When a
zypper dupaborts mid-transaction,%posttransscripts are
skipped — which can leave SELinux policy out of sync and cause cascading
failures on the next dup. Finishing the transaction cleanly and relabeling
afterwards is the safe recovery path. - The sdbootutil PCR warnings are separate from the SELinux issue but worth
addressing in the same session, since the next reboot will exercise both.
To be fair, SELinux isn't easy to anyone.
If you're not comfortable troubleshooting advanced stuff, then I recommend trying Linux Mint instead. Great starting point and you can always try Tumbleweed or something else again when you're more comfortable.
So the actual root cause was that you had aborted an upgrade was earlier.
mrscruff@lemmy.zip do you mean I should have ignored the failure and let Zypper continue?
I'm not 100% sure because I don't use that package manager, but from the looks of it what happened was:
- you ran an upgrade that failed or you aborted an upgrade
- that update added a new selinux policy
- because it failed/aborted it didn't run the post-transaction hooks that reload your selinux policies
- you ran the upgrade that you posted about
- this upgrade failed because it relies on the selinux policy that didn't get loaded
I didn't run a failed or aborted upgrades before that. Just zypper dup that day and it fell flat on its face during updating that accountsservice package. Everything is in my post, there was nothing before that. My system was fully functional before Friday.
The failed zypper dup could have been from a day or week ago. It only recompiles the policy binary in the post transaction hooks.
If you want to track it down take a look in /var/log
There will be zypper logs and in zypp/history you can see all your transactions.
OK, that's interesting :) I'm learning something new. What would I be looking for in the Zypper history log? Any keywords you'd look for?
I would start by grepping /var/log/zypper.log for aborted or posttrans, seeing where the previous installation failed to run the post transaction hook. Then check the timestamp and see if it makes more sense what happened.
I don't use opensuse, or zypper, (arch btw) so I'm sorry I can't give more detailed help.
The good news is I've seen multiple broken Ubuntu/Debian/etc systems from aborted upgrades too. So I don't think your situation is unique to your distro. It's more about learning what you system is actually doing when you update and how catch when something has gone wrong.