I know people are hating AI, but Opus again helped me. My system is fixed and updated. It diagnosed the root cause and told me how to fix it and I can attest that it worked. Below you can find a writeup on what was done.

When working with AI I check the commands I don’t understand, consult the tldr pages and man pages or ask it to further explain what it wants to do and why. I also have Snapper and Restic backup so I wasn’t too worried about screwing things up.

However, if system updates can fail like this and I’m not at fault (I wasn’t), then I think Tumbleweed or rolling distros in general are not for me. I cannot keep asking AI for help, SELinux, labeling something in the filesystem – I don’t even know what that means. It was rough today and it gave me a scare. I am not ready to troubleshoot such advanced concepts as a Linux newbie, so I think I’ll bail and switch to something else.

Fixing zypper dup failure on openSUSE Tumbleweed with SELinux

A debugging session covering an accountsservice RPM install failure during
zypper dup, caused by a stale compiled SELinux policy in the kernel.

The problem

zypper dup failed on a single package:

error: lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument  
error: Plugin selinux: hook fsm_file_prepare failed  
error: unpacking of archive failed on file /usr/share/accountsservice: cpio: (error 0x2)  
error: accountsservice-23.13.9-11.3.x86_64: install failed  
error: accountsservice-23.13.9-11.2.x86_64: erase skipped  
(  4/360) Installing: accountsservice-23.13.9-11.3.x86_64 ..................................................................................................[error]  
Installation of accountsservice-23.13.9-11.3.x86_64 failed:  
Error: Subprocess failed. Error: RPM failed: Command exited with status 1.  
Abort, retry, ignore? [a/r/i] (a): a  
Warning: %posttrans and %transfiletrigger scripts are not executed when aborting!  
Problem occurred during or after installation or removal of packages:  
Installation has been aborted as directed.  

Diagnosis

The key line is:

lsetfilecon: (11 /usr/share/accountsservice, system_u:object_r:accountsd_share_t:s0) Invalid argument  

RPM’s SELinux plugin is trying to apply the label accountsd_share_t to
/usr/share/accountsservice, and the kernel returns EINVAL. This typically
means one of:

1. The filesystem doesn’t support the xattrs SELinux needs, or
2. The SELinux policy loaded in the kernel doesn’t know the type being applied.

The %posttrans warning at the end is a consequence — it means other packages
queued in the transaction had their post-transaction scripts skipped, so the
system is in a partially-upgraded state.

Gathering facts

rpm -q selinux-policy  
# → selinux-policy-20260410-1.1.noarch  

zypper info selinux-policy  
# → Status: up-to-date, Version: 20260410-1.1  

sudo getenforce  
# → Enforcing  

sudo semanage module -l | grep accountsd  
# → accountsd                 100       pp  

sudo seinfo -t accountsd_share_t  
# → Types: 0          ← smoking gun  

df -T /usr/share/accountsservice  
# → /dev/mapper/cr_root btrfs ...  

getfattr -d -m - /usr/share/accountsservice  
# → security.selinux="system_u:object_r:usr_t:s0"  

sudo ausearch -ts recent -m AVC  
# → AVCs related to snapper_sdbootutil_plugin_t, all permissive=1  
# → unrelated to this failure  

What the results mean

• selinux-policy on disk is current (20260410-1.1).
• The accountsd module is installed at priority 100.
• But seinfo -t accountsd_share_t returns Types: 0 — the loaded kernel
  policy does not know this type.
• Filesystem is Btrfs with xattrs working; the existing label usr_t is set
  fine, so it’s not a filesystem support issue.
• The AVCs in the audit log are unrelated noise from the aborted dup — all
  permissive=1, from sdbootutil housekeeping.

Root cause

The selinux-policy RPM on disk defines accountsd_share_t, but the kernel
is running an older compiled policy that predates that type. When RPM’s
SELinux plugin tried to apply accountsd_share_t, the kernel said “I don’t
know what that is” → EINVAL.

This usually happens when selinux-policy was updated on disk in an earlier
transaction, but the policy store wasn’t recompiled and reloaded — likely
because a %posttrans script that would have called semodule -B was
skipped during a prior interrupted transaction.

Fix

1. Rebuild and reload the policy store

sudo semodule -B  

This forces the modular policy (including accountsd) to be recompiled from
the on-disk modules and loaded into the kernel. It can take 30–90 seconds.

2. Verify the type is now known

sudo seinfo -t accountsd_share_t  
# → Types: 1  

3. Retry the dup

sudo zypper dup  

The accountsservice install should now succeed. Because the first attempt
aborted with %posttrans scripts skipped, zypper dup may have extra
cleanup/reinstall work to do — that’s expected.

4. Regenerate TPM2 PCR predictions

During the dup, sdbootutil emitted warnings like:

NVIndex policy created  
WARNING: Volume key cannot be extracted. Dropping PCR 15  
WARNING: File measure-pcr-prediction should be updated  
WARNING: Call sdbootutil update-predictions --measure-pcr  
find: '/var/lib/pcrlock.d/': No such file or directory  

Breakdown:

• Volume key cannot be extracted. Dropping PCR 15 — expected and
  harmless. sdbootutil binds without PCR 15 when the volume key isn’t
  available; unlock still works via other PCRs.
• find: '/var/lib/pcrlock.d/': No such file or directory — ties back to
  one of the AVCs we saw: the snapper sdbootutil plugin removed pcrlock.d
  during cleanup. permissive=1 means SELinux didn’t block it; this is a
  plugin ordering issue, not an SELinux problem.
• WARNING: Call sdbootutil update-predictions --measure-pcr — the PCR
  prediction file needs regenerating before the next boot, or TPM2 may fail
  to release LUKS keys and you’ll fall back to the passphrase prompt.

Run the suggested command once dup completes cleanly:

sudo sdbootutil update-predictions --measure-pcr  

5. Schedule a filesystem relabel and reboot

The on-disk label on /usr/share/accountsservice was still the generic
usr_t, so after a policy jump it’s worth reconciling all labels:

sudo fixfiles onboot  
sudo reboot  

fixfiles onboot schedules a full relabel at next boot — takes a few minutes
during boot but is the cleanest way to get labels in sync with the updated
policy.

Full sequence

sudo semodule -B                                    # rebuild policy  
sudo seinfo -t accountsd_share_t                    # verify: Types: 1  
sudo zypper dup                                     # finish the dup  
sudo sdbootutil update-predictions --measure-pcr    # regen TPM predictions  
sudo fixfiles onboot                                # schedule relabel  
sudo reboot  

Safety notes

• Before rebooting, confirm the LUKS passphrase is accessible (in a password
  manager). TPM2 auto-unlock is a convenience layer on top of the passphrase
  — if predictions are wrong, the system falls back to the passphrase rather
  than locking you out.
• openSUSE’s Btrfs + snapper setup means a pre-dup snapshot exists. Confirm
  with sudo snapper list. If anything goes sideways, an older snapshot can
  be booted from systemd-boot.
• If the TPM2 unlock fails at first boot after dup, enter the passphrase and
  re-run sudo sdbootutil update-predictions --measure-pcr once booted —
  predictions sometimes need recalculating against the actual booted
  measurements.

Key takeaways

• lsetfilecon ... Invalid argument during an RPM install = the kernel
  policy doesn’t know a type the package is trying to apply. Fix with
  semodule -B to recompile and reload.
• seinfo -t <type> returning Types: 0 for a type you expect to exist is
  the definitive signal that the loaded policy is stale relative to what’s on
  disk.
• When a zypper dup aborts mid-transaction, %posttrans scripts are
  skipped — which can leave SELinux policy out of sync and cause cascading
  failures on the next dup. Finishing the transaction cleanly and relabeling
  afterwards is the safe recovery path.
• The sdbootutil PCR warnings are separate from the SELinux issue but worth
  addressing in the same session, since the next reboot will exercise both.

At the moment I’m thinking of hopping to Debian 😅 I ran Fedora Workstation for a few weeks out of an external drive and then openSUSE Tumblewed for a couple weeks (this time on my main system drive) and thought I was good, never had any problems with updating the system. And today is my first distro update since I moved to openSUSE full-time and I get this :( Perhaps I am not ready for a rolling distro.

btw did Slowroll get systemd-boot already?

For shopping lists I use Listonic. It’s easy to use and better suited for shopping because it groups products into categories, so you don’t have to sort them yourself and don’t have to walk around the store back and forth because you picked up strawberries, moved to the toilet paper section and diary and then noticed you didn’t pick apples. :) It syncs, so if you go shopping with somebody else, you can split and see what the other person already grabbed (as long as there’s connectivity, of course).

Oh, I guess I never ran into that problem myself. I do use Joplin on my PC and on my Android phone. Thanks for the info.

That’s fair. I myself migrated from Google Keep to Standard Notes and later to Joplin. I never thought that I needed for it to look like post-its :) But now that you said that I see why you wouldn’t be happy with either of the non-alternatives.

I just wish syncing was a bit more seemless.

What problem do you have? I use OneDrive sync, which is not even recommended, because OneDrive doesn’t work well with syncing many tiny files, but it works surprisingly good. If I need to sync NOW (rarely), there’s a menu item for that. Otherwise the automated sync was good for me.

Joplin not mentioned. It’s like Standard Notes, but FREE, including cloud sync (many targets available). I used Standard Notes but their business model changed which drove me to look for alternatives and I landed with Joplin. Highly recommended!

It’s true. Sort of ;) Tried connecting my openSUSE with my Android phone today.

https://github.com/GSConnect/gnome-shell-extension-gsconnect/issues/2116

Supposedly fixed and merged but not released yet. I decided to wait.

There is no noise in Windows. I dual boot on this PC.

I had the same monitor for several years and I hear the noise from the PC case to my right.

Yes, had the same monitor for several years. I hear it from the PC case which is on my desk to the right.

I just use the Ryzen iGPU, don’t have a dedicated GPU. I set the fan curves in BIOS, so it’s the same across all OSes. I’m pretty sure it’s not the fans. My main suspect is the CPU because the noise is there in openSUSE’s installer, so even before anything touched the disks (they were straight from factory with no partitions). As soon as I launched the Tumbleweed installer I heard it. Not hearing it in Windows 11. I can hear it when the CPU is idle, if I start some program, run a compiler or even scroll fast in the web browser, there is no noise.

What did you put on your Chromebook instead of Chrome OS?

Probably a little bit of risk from possibly fragile connectors, but that should be okay if you take care.

I told her I will buy her a new laptop if I screw up :D Even with that risk I’d like to try.

I am aware of the limitations. She is a really BASIC user. Just uses the web browser (Chrome, because it’s a Chrome OS, well — I’ll switch her to Firefox and she won’t notice ;) ), she surfs the net, watches YT and VOD (I know the DRM limitations, again, not an issue with her, she’s perfectly happy with 720p in a window) and chats Facebook Messenger (sadly). I think an atomic distro can do all that out of the box and there’s nothing to install that’s not a web app or a Flatpak.

Is rpm-ostree how you get the other packages? I don’t know much about it apart from what’s on Fedora’s website, my understanding is it modifies the local system image so whatever you install from RPM becomes part of it. But, again, she won’t need it. She’s the compete opposite of a power user.

I’m thinking of replacing Chrome OS on an older Chromebook (Acer CB-314) that’s been slowing down a lot. I don’t know what Google is doing but it feels like planned obsolescence. It’s becoming unresponsive even for regular web browsing and VOD. Based on some online guides I think I need to open the device to flip a hardware switch that makes the firmware write protected, so I need to convince my significant other to let me do it, because it’s her laptop, but she keeps complaining :)

I was thinking of putting Mint on it, I want it to be super simple.

I would also consider some atomic distro so she can’t break it :) Maybe Fedora Silverblue or something like that.

I see you’re already getting downvoted and I will probably share that predicament. I get you, I feel alike. I used various distros over 20 years ago but never got really deep into Linux internals and I also forgot a lot.

I think AI can really be useful but not all models are equal (YMMV).

A couple of real world scenarios where I was having problems that were way above my head at this stage.

I encrypt my system disk with LUKS using TPM. I currently run openSUSE which has Snapper deeply integrated with the system. Because I was troubleshooting some issues and installing various packages I made some changes that I wanted to revert. Snapper is the fastest way for me, no manual reversal, no need to edit any config files, no leftovers. Just boot from a snapshot and roll back. I did that a few times. I had TPM auto-unlock set up but it stopped working. I tried re-enrolling but it still didn’t work. Of course I asked Sonnet 4.6 about that and after an AI-supported troubleshooting session the issue was resolved. It analyzed the logs, found the reason for my issue and explained what and why was causing it (in short: because I did not re-enroll the TMP key after each rollback, there were too many boot entries accumulated exceeding the systemd-pcrlock’s limit and causing all TPM predictions to fail silently).

Second thing was OpenVPN not setting up the DNS after connecting. It took me half an hour of troubleshooting with Sonnet 4.6 and it explained what was happening and proposed a few solutions. In the end it turned out that in my scenario I need Dnsmasq which is dead simple and helped me to resolve my particular issue. What’s interesting is that when I asked about the same issue on openSUSE’s sub on Reddit, a SUSE developer told me to use dnsmasq, too :)

Without AI I guess I’d just have to give up because no one was capable of helping me when I asked online (sure, maybe I didn’t ask enough or not in enough places). Without OpenVPN I cannot use this system, it’s mandatory for my job. I could switch to Fedora where OpenVPN 3 works, but I really wanted openSUSE.

I guess Slowroll is not on systemd-boot yet? I just reinstalled Tumbleweed recently to get that, but I’m interested in switching to Slowroll. This is my work machine and my reasons are the same as yours.

deleted by creator

deleted by creator