Upgrade to 13.5.1 failed

Hello all. I just upgraded to version 13.5.1 and got the following error text from the gitlab-ctl reconfigure step. I can no longer pull or push but the web interface appears to be working ok.

There was an error running gitlab-ctl reconfigure:

execute[semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp] (gitlab::selinux line 32) had an error: Mixlib::ShellOut::ShellCommandFailed: Expected process to exit with [0], but received '1'
---- Begin output of semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp ----
STDERR: libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
gitlab-13.5.0-gitlab-shell: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
gitlab-13.5.0-gitlab-shell: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
gitlab-13.5.0-gitlab-shell: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
 (No such file or directory).
semodule:  Failed!
---- End output of semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp ----
Ran semodule -i /opt/gitlab/embedded/selinux/rhel/7/gitlab-13.5.0-gitlab-shell.pp returned 1

Any ideas?

Now I have (perhaps temporarily) recovered it, I have time to give a little more detail.

Omnibus edition on CentOS 7, upgrading from GitLab 14.4.3.

After disabling SELinux, sudo gitlab-ctl reconfigure ran without errors and I am now able to push/pull etc.

Then after re-enabling SELinux, again sudo gitlab-ctl reconfigure ran with the same error as before.

However git push/pull work (presumably because reconfigure completed when SELinux was disabled) so I am leaving it in this state…

Could be missing selinux packages, have you got these installed?

libsemanage-static libsemanage-devel policycoreutils

if it still fails with selinux enabled at this point, it would need debugging using the selinux tools to find out what is blocking.

With the system running in permissive mode, you will see errors in the logs related to selinux, of which we can use for fixing selinux contexts, etc. Then once these are dealt with, selinux can be re-enabled. But it may just be one of the missing dependencies above, and the rest would sort itself out during reconfigure.

1 Like

Great stuff, I was missing the libsemanage-* packages and policycoreutils needed upgrading. After that reconfigure was successful.

Many thanks!

Hi, How to upgrade libsemanage-* packages and policycoreutils ?

@erkant4n just do:

yum update

to update your system, or if you want to install/upgrade just the above packages, then:

yum install libsemanage-static libsemanage-devel policycoreutils