Updating from Tumbleweed 20260331 to 20260415, zypper dup fails at accountsservice :(

error: lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument  
error: Plugin selinux: hook fsm_file_prepare failed  
error: unpacking of archive failed on file /usr/share/accountsservice: cpio: (error 0x2)  
error: accountsservice-23.13.9-11.3.x86_64: install failed  
error: accountsservice-23.13.9-11.2.x86_64: erase skipped  
(557/916) Installing: accountsservice-23.13.9-11.3.x86_64 ..................................................................................................[error]  
Installation of accountsservice-23.13.9-11.3.x86_64 failed:  
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.  
Abort, retry, ignore? [a/r/i] (a): a  
Warning: %posttrans and %transfiletrigger scripts are not executed when aborting!

What should I do?

  • steel_for_humans@piefed.socialOPEnglish
    2·
    5 天前

    I know people are hating AI, but Opus again helped me. My system is fixed and updated. It diagnosed the root cause and told me how to fix it and I can attest that it worked. Below you can find a writeup on what was done.

    When working with AI I check the commands I don’t understand, consult the tldr pages and man pages or ask it to further explain what it wants to do and why. I also have Snapper and Restic backup so I wasn’t too worried about screwing things up.

    However, if system updates can fail like this and I’m not at fault (I wasn’t), then I think Tumbleweed or rolling distros in general are not for me. I cannot keep asking AI for help, SELinux, labeling something in the filesystem – I don’t even know what that means. It was rough today and it gave me a scare. I am not ready to troubleshoot such advanced concepts as a Linux newbie, so I think I’ll bail and switch to something else.

    Fixing zypper dup failure on openSUSE Tumbleweed with SELinux

    A debugging session covering an accountsservice RPM install failure during
    zypper dup, caused by a stale compiled SELinux policy in the kernel.

    The problem

    zypper dup failed on a single package:

    error: lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument  
error: Plugin selinux: hook fsm_file_prepare failed  
error: unpacking of archive failed on file /usr/share/accountsservice: cpio: (error 0x2)  
error: accountsservice-23.13.9-11.3.x86_64: install failed  
error: accountsservice-23.13.9-11.2.x86_64: erase skipped  
(  4/360) Installing: accountsservice-23.13.9-11.3.x86_64 ..................................................................................................[error]  
Installation of accountsservice-23.13.9-11.3.x86_64 failed:  
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.  
Abort, retry, ignore? [a/r/i] (a): a  
Warning: %posttrans and %transfiletrigger scripts are not executed when aborting!  
Problem occurred during or after installation or removal of packages:  
Installation has been aborted as directed.

    Diagnosis

    The key line is:

    lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument

    RPM’s SELinux plugin is trying to apply the label accountsd_share_t to
    /usr/share/accountsservice, and the kernel returns EINVAL. This typically
    means one of:

    1. The filesystem doesn’t support the xattrs SELinux needs, or
    2. The SELinux policy loaded in the kernel doesn’t know the type being applied.

    The %posttrans warning at the end is a consequence — it means other packages
    queued in the transaction had their post-transaction scripts skipped, so the
    system is in a partially-upgraded state.

    Gathering facts

    rpm -q selinux-policy  
# → selinux-policy-20260410-1.1.noarch  

zypper info selinux-policy  
# → Status: up-to-date, Version: 20260410-1.1  

sudo getenforce  
# → Enforcing  

sudo semanage module -l | grep accountsd  
# → accountsd                 100       pp  

sudo seinfo -t accountsd_share_t  
# → Types: 0          ← smoking gun  

df -T /usr/share/accountsservice  
# → /dev/mapper/cr_root btrfs ...  

getfattr -d -m - /usr/share/accountsservice  
# → security.selinux="system_u:object_r:usr_t:s0"  

sudo ausearch -ts recent -m AVC  
# → AVCs related to snapper_sdbootutil_plugin_t, all permissive=1  
# → unrelated to this failure

    What the results mean

    • selinux-policy on disk is current (20260410-1.1).
    • The accountsd module is installed at priority 100.
    • But seinfo -t accountsd_share_t returns Types: 0 — the loaded kernel
      policy does not know this type.
    • Filesystem is Btrfs with xattrs working; the existing label usr_t is set
      fine, so it’s not a filesystem support issue.
    • The AVCs in the audit log are unrelated noise from the aborted dup — all
      permissive=1, from sdbootutil housekeeping.

    Root cause

    The selinux-policy RPM on disk defines accountsd_share_t, but the kernel
    is running an older compiled policy that predates that type. When RPM’s
    SELinux plugin tried to apply accountsd_share_t, the kernel said “I don’t
    know what that is” → EINVAL.

    This usually happens when selinux-policy was updated on disk in an earlier
    transaction, but the policy store wasn’t recompiled and reloaded — likely
    because a %posttrans script that would have called semodule -B was
    skipped during a prior interrupted transaction.

    Fix

    1. Rebuild and reload the policy store

    sudo semodule -B

    This forces the modular policy (including accountsd) to be recompiled from
    the on-disk modules and loaded into the kernel. It can take 30–90 seconds.

    2. Verify the type is now known

    sudo seinfo -t accountsd_share_t  
# → Types: 1

    3. Retry the dup

    sudo zypper dup

    The accountsservice install should now succeed. Because the first attempt
    aborted with %posttrans scripts skipped, zypper dup may have extra
    cleanup/reinstall work to do — that’s expected.

    4. Regenerate TPM2 PCR predictions

    During the dup, sdbootutil emitted warnings like:

    NVIndex policy created  
WARNING: Volume key cannot be extracted. Dropping PCR 15  
WARNING: File measure-pcr-prediction should be updated  
WARNING: Call sdbootutil update-predictions --measure-pcr  
find: '/var/lib/pcrlock.d/': No such file or directory

    Breakdown:

    • Volume key cannot be extracted. Dropping PCR 15 — expected and
      harmless. sdbootutil binds without PCR 15 when the volume key isn’t
      available; unlock still works via other PCRs.
    • find: '/var/lib/pcrlock.d/': No such file or directory — ties back to
      one of the AVCs we saw: the snapper sdbootutil plugin removed pcrlock.d
      during cleanup. permissive=1 means SELinux didn’t block it; this is a
      plugin ordering issue, not an SELinux problem.
    • WARNING: Call sdbootutil update-predictions --measure-pcr — the PCR
      prediction file needs regenerating before the next boot, or TPM2 may fail
      to release LUKS keys and you’ll fall back to the passphrase prompt.

    Run the suggested command once dup completes cleanly:

    sudo sdbootutil update-predictions --measure-pcr

    5. Schedule a filesystem relabel and reboot

    The on-disk label on /usr/share/accountsservice was still the generic
    usr_t, so after a policy jump it’s worth reconciling all labels:

    sudo fixfiles onboot  
sudo reboot

    fixfiles onboot schedules a full relabel at next boot — takes a few minutes
    during boot but is the cleanest way to get labels in sync with the updated
    policy.

    Full sequence

    sudo semodule -B                                    # rebuild policy  
sudo seinfo -t accountsd_share_t                    # verify: Types: 1  
sudo zypper dup                                     # finish the dup  
sudo sdbootutil update-predictions --measure-pcr    # regen TPM predictions  
sudo fixfiles onboot                                # schedule relabel  
sudo reboot

    Safety notes

    • Before rebooting, confirm the LUKS passphrase is accessible (in a password
      manager). TPM2 auto-unlock is a convenience layer on top of the passphrase
      — if predictions are wrong, the system falls back to the passphrase rather
      than locking you out.
    • openSUSE’s Btrfs + snapper setup means a pre-dup snapshot exists. Confirm
      with sudo snapper list. If anything goes sideways, an older snapshot can
      be booted from systemd-boot.
    • If the TPM2 unlock fails at first boot after dup, enter the passphrase and
      re-run sudo sdbootutil update-predictions --measure-pcr once booted —
      predictions sometimes need recalculating against the actual booted
      measurements.

    Key takeaways

    • lsetfilecon ... Invalid argument during an RPM install = the kernel
      policy doesn’t know a type the package is trying to apply. Fix with
      semodule -B to recompile and reload.
    • seinfo -t <type> returning Types: 0 for a type you expect to exist is
      the definitive signal that the loaded policy is stale relative to what’s on
      disk.
    • When a zypper dup aborts mid-transaction, %posttrans scripts are
      skipped — which can leave SELinux policy out of sync and cause cascading
      failures on the next dup. Finishing the transaction cleanly and relabeling
      afterwards is the safe recovery path.
    • The sdbootutil PCR warnings are separate from the SELinux issue but worth
      addressing in the same session, since the next reboot will exercise both.
        • MrScruff@lemmy.zip
          1·
          2 天前

          I’m not 100% sure because I don’t use that package manager, but from the looks of it what happened was:

          • you ran an upgrade that failed or you aborted an upgrade
          • that update added a new selinux policy
          • because it failed/aborted it didn’t run the post-transaction hooks that reload your selinux policies
          • you ran the upgrade that you posted about
          • this upgrade failed because it relies on the selinux policy that didn’t get loaded
          • steel_for_humans@piefed.socialOPEnglish
            1·
            2 天前

            I didn’t run a failed or aborted upgrades before that. Just zypper dup that day and it fell flat on its face during updating that accountsservice package. Everything is in my post, there was nothing before that. My system was fully functional before Friday.

            • MrScruff@lemmy.zip
              1·
              2 天前

              The failed zypper dup could have been from a day or week ago. It only recompiles the policy binary in the post transaction hooks.

              If you want to track it down take a look in /var/log

              There will be zypper logs and in zypp/history you can see all your transactions.

              • steel_for_humans@piefed.socialOPEnglish
                1·
                2 天前

                OK, that’s interesting :) I’m learning something new. What would I be looking for in the Zypper history log? Any keywords you’d look for?

                • MrScruff@lemmy.zip
                  1·
                  1 天前

                  I would start by grepping /var/log/zypper.log for aborted or posttrans, seeing where the previous installation failed to run the post transaction hook. Then check the timestamp and see if it makes more sense what happened.

                  I don’t use opensuse, or zypper, (arch btw) so I’m sorry I can’t give more detailed help.

                  The good news is I’ve seen multiple broken Ubuntu/Debian/etc systems from aborted upgrades too. So I don’t think your situation is unique to your distro. It’s more about learning what you system is actually doing when you update and how catch when something has gone wrong.

    • L3ft_F13ld!@lemmy.dbzer0.com
      3·
      5 天前

      If you’re not comfortable troubleshooting advanced stuff, then I recommend trying Linux Mint instead. Great starting point and you can always try Tumbleweed or something else again when you’re more comfortable.