Bug 2013642
| Summary: | udevadm warns on a new PCRE2 version: Regex version mismatch | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Petr Pisar <ppisar> |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 35 | CC: | bugzilla, dominik, dwalsh, fedoraproject, filbranden, flepied, geraldo.simiao.kutz, grepl.miroslav, grumpey0, justin, jwadodson, kasong, kim-rh, koen.schram, kparal, ljavorsk, lnykryn, lvrabec, maj.linux, mhjacks, mjuszkie, mmalik, mmuehlfe, mschorm, msekleta, omosnace, openprojectrizal, plautrba, ppywlkiqletw, rgm, richardfearn, rudi_3, ssahani, s, stanley.king, systemd-maint, thunderbirdtr, valdis.kletnieks, vitaly, vmojzis, voj-tech, yuwatana, zbyszek, zpytela |
| Target Milestone: | --- | Keywords: | Triaged |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-35.10-1.fc35 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-01-19 02:11:22 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Pisar
2021-10-13 12:51:03 UTC
The message is not from udevadm, but seems from libselinux. I googled the message and found the following: https://lore.kernel.org/selinux/20210816165459.1741490-1-zhangkelvin@google.com/ Confirming it's libselinux - restorecon, su, and at least one or two other program are issuing the same message. After reading the patch, I realized that PCRE2 does not guarantee internal representation of opaque structures holding a compiled regular expression. If libselinux stores them into a file and load them later from a different process, when PCRE2 library was upgraded in between, it could indeed cause problems. If this is the case, then libselinux should version the serialized expressions on its behalf and recompile them when run-time version of PCRE2 changes. I'm afraid libselinux can't recompile the files as a random process like restorecon doesn't have necessary permissions. But I guess libselinux could suggest a command which would fix it, e.g.
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 2e28d0474d73..12a32473de06 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -189,7 +189,8 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec,
str_buf[entry_len] = '\0';
if ((strcmp(str_buf, reg_version) != 0)) {
COMPAT_LOG(SELINUX_ERROR,
- "Regex version mismatch, expected: %s actual: %s\n",
+ "Regex version mismatch, expected: %s actual: %s\n"
+ "Please run 'semodule -B' to recompile file context files\n",
reg_version, str_buf);
free(str_buf);
return -1;
The check for a PCRE2 version is only a rough heuristic. The compiled expression structure does not change with every PCRE2 upstream release. And at the same time the structure can change with a downstream patch within the same PCRE2 version.
Would you rather find appealing adding an RPM file trigger to libselinux package on PCRE2 library file (%{_libdir}/libpcre2-8.so.*)? That trigger would execute "semodule -B".
(In reply to Petr Pisar from comment #5) > Would you rather find appealing adding an RPM file trigger to libselinux > package on PCRE2 library file (%{_libdir}/libpcre2-8.so.*)? That trigger > would execute "semodule -B". Hmm.. I didn't know RPM allowed setting triggers on files from another RPM. But if this works, this sounds like the right solution, at worst we run a not strictly necessary semodule -B, but it would guarantee that everything is in sync. What happens if a sysadmin, for some reason, does a 'rpm -Uvh --force' of an earlier pcre2 version? Does the trigger pop then too? +1 for the file trigger. Strictly speaking, I think it should %transfiletrigger to do the thing only once per transaction.
> What happens if a sysadmin, for some reason, does a 'rpm -Uvh --force' of an earlier pcre2 version? Does the trigger pop then too?
Yes, filetriggers don't care whether you're upgrading or downgrading or adding or removing.
selinux-policy.spec already contains:
%triggerin -- pcre
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
exit 0
I guess this needs to be updated to pcre2
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/229 This would be a simple fix. But I guess using the file trigger we could make it even better. Can I assume, I hit here the same issue? on Fedora 35 this is. Running transaction Preparing : 1/1 Upgrading : pcre2-syntax-10.39-1.fc35.noarch 1/56 Upgrading : mesa-libglapi-21.3.4-1.fc35.x86_64 2/56 Upgrading : cups-libs-1:2.3.3op2-12.fc35.x86_64 3/56 Upgrading : pam-1.5.2-7.fc35.x86_64 4/56 Running scriptlet: pam-1.5.2-7.fc35.x86_64 4/56 Upgrading : cups-client-1:2.3.3op2-12.fc35.x86_64 5/56 Running scriptlet: cups-client-1:2.3.3op2-12.fc35.x86_64 5/56 Upgrading : wireplumber-libs-0.4.7-2.fc35.x86_64 6/56 Upgrading : wireplumber-0.4.7-2.fc35.x86_64 7/56 Upgrading : python3-libs-3.10.1-3.fc35.x86_64 8/56 Upgrading : python3-3.10.1-3.fc35.x86_64 9/56 Upgrading : python-unversioned-command-3.10.1-3.fc35.noarch 10/56 Upgrading : tigervnc-license-1.12.0-3.fc35.noarch 11/56 Upgrading : mesa-libgbm-21.3.4-1.fc35.x86_64 12/56 Upgrading : mesa-filesystem-21.3.4-1.fc35.x86_64 13/56 Upgrading : mesa-dri-drivers-21.3.4-1.fc35.x86_64 14/56 Upgrading : cups-filesystem-1:2.3.3op2-12.fc35.noarch 15/56 Upgrading : cryptsetup-libs-2.4.3-1.fc35.x86_64 16/56 Upgrading : cryptsetup-2.4.3-1.fc35.x86_64 17/56 Upgrading : cups-1:2.3.3op2-12.fc35.x86_64 18/56 Running scriptlet: cups-1:2.3.3op2-12.fc35.x86_64 18/56 Upgrading : tigervnc-server-minimal-1.12.0-3.fc35.x86_64 19/56 Upgrading : mesa-libEGL-21.3.4-1.fc35.x86_64 20/56 Upgrading : cups-ipptool-1:2.3.3op2-12.fc35.x86_64 21/56 Upgrading : mesa-libGL-21.3.4-1.fc35.x86_64 22/56 Upgrading : pcre2-10.39-1.fc35.x86_64 23/56 Upgrading : pcre2-utf16-10.39-1.fc35.x86_64 24/56 Upgrading : pcre2-utf32-10.39-1.fc35.x86_64 25/56 Upgrading : rubberband-2.0.0-2.fc35.x86_64 26/56 Upgrading : mesa-vulkan-drivers-21.3.4-1.fc35.x86_64 27/56 Upgrading : mesa-libxatracker-21.3.4-1.fc35.x86_64 28/56 Running scriptlet: cups-1:2.3.3op2-11.fc35.x86_64 29/56 Cleanup : cups-1:2.3.3op2-11.fc35.x86_64 29/56 Running scriptlet: cups-1:2.3.3op2-11.fc35.x86_64 29/56 Cleanup : tigervnc-server-minimal-1.11.0-14.fc35.x86_64 30/56 Cleanup : cryptsetup-2.4.2-1.fc35.x86_64 31/56 Cleanup : mesa-dri-drivers-21.3.3-1.fc35.x86_64 32/56 Running scriptlet: cups-client-1:2.3.3op2-11.fc35.x86_64 33/56 Cleanup : cups-client-1:2.3.3op2-11.fc35.x86_64 33/56 Running scriptlet: wireplumber-0.4.5-3.fc35.x86_64 34/56 Cleanup : wireplumber-0.4.5-3.fc35.x86_64 34/56 Cleanup : mesa-libGL-21.3.3-1.fc35.x86_64 35/56 Cleanup : mesa-libEGL-21.3.3-1.fc35.x86_64 36/56 Cleanup : cups-ipptool-1:2.3.3op2-11.fc35.x86_64 37/56 Cleanup : python-unversioned-command-3.10.1-2.fc35.noarch 38/56 Cleanup : python3-3.10.1-2.fc35.x86_64 39/56 Cleanup : pcre2-utf32-10.37-4.fc35.x86_64 40/56 Cleanup : pcre2-utf16-10.37-4.fc35.x86_64 41/56 Cleanup : pcre2-10.37-4.fc35.x86_64 42/56 Cleanup : pcre2-syntax-10.37-4.fc35.noarch 43/56 Cleanup : mesa-filesystem-21.3.3-1.fc35.x86_64 44/56 Cleanup : tigervnc-license-1.11.0-14.fc35.noarch 45/56 Cleanup : cups-filesystem-1:2.3.3op2-11.fc35.noarch 46/56 Cleanup : python3-libs-3.10.1-2.fc35.x86_64 47/56 Cleanup : cups-libs-1:2.3.3op2-11.fc35.x86_64 48/56 Cleanup : mesa-libgbm-21.3.3-1.fc35.x86_64 49/56 Cleanup : mesa-libglapi-21.3.3-1.fc35.x86_64 50/56 Cleanup : wireplumber-libs-0.4.5-3.fc35.x86_64 51/56 Cleanup : cryptsetup-libs-2.4.2-1.fc35.x86_64 52/56 Cleanup : pam-1.5.2-5.fc35.x86_64 53/56 Cleanup : rubberband-1.9.2-2.fc35.x86_64 54/56 Cleanup : mesa-vulkan-drivers-21.3.3-1.fc35.x86_64 55/56 Cleanup : mesa-libxatracker-21.3.3-1.fc35.x86_64 56/56 Running scriptlet: pam-1.5.2-7.fc35.x86_64 56/56 Running scriptlet: wireplumber-0.4.7-2.fc35.x86_64 56/56 Running scriptlet: mesa-libxatracker-21.3.3-1.fc35.x86_64 56/56 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Same on Fedora 35
- libselinux version: 3.3-1.fc35
Starting occuring after this update:
Packages Altered:
Upgrade flatpak-1.12.3-1.fc35.x86_64 @updates-testing
Upgraded flatpak-1.12.2-1.fc35.x86_64 @@System
Upgrade flatpak-libs-1.12.3-1.fc35.x86_64 @updates-testing
Upgraded flatpak-libs-1.12.2-1.fc35.x86_64 @@System
Upgrade flatpak-selinux-1.12.3-1.fc35.noarch @updates-testing
Upgraded flatpak-selinux-1.12.2-1.fc35.noarch @@System
Upgrade flatpak-session-helper-1.12.3-1.fc35.x86_64 @updates-testing
Upgraded flatpak-session-helper-1.12.2-1.fc35.x86_64 @@System
Upgrade koji-1.27.1-1.fc35.noarch @updates-testing
Upgraded koji-1.27.0-3.fc35.noarch @@System
Upgrade libibverbs-38.1-2.fc35.x86_64 @updates-testing
Upgraded libibverbs-38.1-1.fc35.x86_64 @@System
Upgrade mesa-dri-drivers-21.3.4-1.fc35.i686 @updates-testing
Upgraded mesa-dri-drivers-21.3.3-1.fc35.i686 @@System
Upgrade mesa-dri-drivers-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-dri-drivers-21.3.3-1.fc35.x86_64 @@System
Upgrade mesa-filesystem-21.3.4-1.fc35.i686 @updates-testing
Upgraded mesa-filesystem-21.3.3-1.fc35.i686 @@System
Upgrade mesa-filesystem-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-filesystem-21.3.3-1.fc35.x86_64 @@System
Upgrade mesa-libEGL-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-libEGL-21.3.3-1.fc35.x86_64 @@System
Upgrade mesa-libGL-21.3.4-1.fc35.i686 @updates-testing
Upgraded mesa-libGL-21.3.3-1.fc35.i686 @@System
Upgrade mesa-libGL-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-libGL-21.3.3-1.fc35.x86_64 @@System
Upgrade mesa-libgbm-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-libgbm-21.3.3-1.fc35.x86_64 @@System
Upgrade mesa-libglapi-21.3.4-1.fc35.i686 @updates-testing
Upgraded mesa-libglapi-21.3.3-1.fc35.i686 @@System
Upgrade mesa-libglapi-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-libglapi-21.3.3-1.fc35.x86_64 @@System
Upgrade mesa-vulkan-drivers-21.3.4-1.fc35.i686 @updates-testing
Upgraded mesa-vulkan-drivers-21.3.3-1.fc35.i686 @@System
Upgrade mesa-vulkan-drivers-21.3.4-1.fc35.x86_64 @updates-testing
Upgraded mesa-vulkan-drivers-21.3.3-1.fc35.x86_64 @@System
Upgrade pam-1.5.2-7.fc35.x86_64 @updates-testing
Upgraded pam-1.5.2-5.fc35.x86_64 @@System
Upgrade pcre2-10.39-1.fc35.i686 @updates-testing
Upgraded pcre2-10.37-4.fc35.i686 @@System
Upgrade pcre2-10.39-1.fc35.x86_64 @updates-testing
Upgraded pcre2-10.37-4.fc35.x86_64 @@System
Upgrade pcre2-syntax-10.39-1.fc35.noarch @updates-testing
Upgraded pcre2-syntax-10.37-4.fc35.noarch @@System
Upgrade pcre2-utf16-10.39-1.fc35.x86_64 @updates-testing
Upgraded pcre2-utf16-10.37-4.fc35.x86_64 @@System
Upgrade python3-koji-1.27.1-1.fc35.noarch @updates-testing
Upgraded python3-koji-1.27.0-3.fc35.noarch @@System
Upgrade python3-rpm-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded python3-rpm-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-build-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-build-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-build-libs-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-build-libs-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-libs-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-libs-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-plugin-selinux-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-plugin-selinux-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-plugin-systemd-inhibit-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-plugin-systemd-inhibit-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-sign-libs-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-sign-libs-4.17.0-1.fc35.x86_64 @@System
Upgrade wireplumber-0.4.7-2.fc35.x86_64 @updates-testing
Upgraded wireplumber-0.4.7-1.fc35.x86_64 @@System
Upgrade wireplumber-libs-0.4.7-2.fc35.x86_64 @updates-testing
Upgraded wireplumber-libs-0.4.7-1.fc35.x86_64 @@System
Scriptlet output:
1 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
2 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
3 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
4 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
I got this error, also, this morning after a 'dnf update' then system power cycle on Fedora 35. (In reply to Robert Moskowitz from comment #12) > I got this error, also, this morning after a 'dnf update' then system power > cycle on Fedora 35. I'm not sure, but by running `sudo dnf reinstall python3-regex boost-regex` fix the problem. At least for now. *** Bug 2041331 has been marked as a duplicate of this bug. *** Run this command to suppress the error message: # semodule -nB There will be a new selinux-policy build addressing this problem soon. *** Bug 2041223 has been marked as a duplicate of this bug. *** Can confirm this: Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26 *** Bug 2041207 has been marked as a duplicate of this bug. *** (In reply to Petr Pisar from comment #5) > The check for a PCRE2 version is only a rough heuristic. The compiled > expression structure does not change with every PCRE2 upstream release. And > at the same time the structure can change with a downstream patch within the > same PCRE2 version. > > Would you rather find appealing adding an RPM file trigger to libselinux > package on PCRE2 library file (%{_libdir}/libpcre2-8.so.*)? That trigger > would execute "semodule -B". I wish there were a comment in the spec file that explains why the selinux policy needs to be re-compiled. That was for a long time a mystery for me. confirm this, here too:
Upgrade pcre2-10.39-1.fc35.x86_64 @updates-testing
Upgraded pcre2-10.37-4.fc35.x86_64 @@System
Upgrade pcre2-syntax-10.39-1.fc35.noarch @updates-testing
Upgraded pcre2-syntax-10.37-4.fc35.noarch @@System
Upgrade pcre2-utf16-10.39-1.fc35.x86_64 @updates-testing
Upgraded pcre2-utf16-10.37-4.fc35.x86_64 @@System
Upgrade pcre2-utf32-10.39-1.fc35.x86_64 @updates-testing
Upgraded pcre2-utf32-10.37-4.fc35.x86_64 @@System
Upgrade python3-koji-1.27.1-1.fc35.noarch @updates-testing
Upgraded python3-koji-1.27.0-3.fc35.noarch @@System
Upgrade python3-rpm-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded python3-rpm-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-build-libs-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-build-libs-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-libs-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-libs-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-plugin-selinux-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-plugin-selinux-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-plugin-systemd-inhibit-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-plugin-systemd-inhibit-4.17.0-1.fc35.x86_64 @@System
Upgrade rpm-sign-libs-4.17.0-3.fc35.x86_64 @updates-testing
Upgraded rpm-sign-libs-4.17.0-1.fc35.x86_64 @@System
Upgrade tigervnc-license-1.12.0-3.fc35.noarch @updates-testing
Upgraded tigervnc-license-1.11.0-14.fc35.noarch @@System
Upgrade tigervnc-server-minimal-1.12.0-3.fc35.x86_64 @updates-testing
Upgraded tigervnc-server-minimal-1.11.0-14.fc35.x86_64 @@System
Upgrade wireplumber-0.4.7-2.fc35.x86_64 @updates-testing
Upgraded wireplumber-0.4.7-1.fc35.x86_64 @@System
Upgrade wireplumber-libs-0.4.7-2.fc35.x86_64 @updates-testing
Upgraded wireplumber-libs-0.4.7-1.fc35.x86_64 @@System
Saída do scriptlet:
1 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
2 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
3 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
4 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
5 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
6 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Operating System: Fedora Linux 35
KDE Plasma Version: 5.23.4
KDE Frameworks Version: 5.90.0
Qt Version: 5.15.2
Kernel Version: 5.16.1-200.fc35.x86_64 (64-bit)
rpm -qa|grep pcre2
pcre2-debugsource-10.37-4.fc35.x86_64
pcre2-debuginfo-10.37-4.fc35.x86_64
pcre2-syntax-10.39-1.fc35.noarch
pcre2-10.39-1.fc35.x86_64
pcre2-utf16-10.39-1.fc35.x86_64
pcre2-utf32-10.39-1.fc35.x86_64
python3-regex-2021.11.10-1.fc35.x86_64
I have this to, shows up every time I do a 'su -'. Without running `semodule -nB` and just running `sudo dnf reinstall python3-regex boost-regex` until now the messages doesn't show up again when I upgrade, install, or running `su -`. I guess the python3 regex package get messed up when last time I installing something with `pip install`. FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd (In reply to Syaifur Rizal from comment #23) > Without running `semodule -nB` and just running `sudo dnf reinstall > python3-regex boost-regex` until now the messages doesn't show up again when > I upgrade, install, or running `su -`. > > I guess the python3 regex package get messed up when last time I installing > something with `pip install`. This is not a solution for me as I have neither of those packages installed. # dnf reinstall python3-regex boost-regex DigitalOcean Agent 38 kB/s | 3.3 kB 00:00 DigitalOcean Droplet Agent 39 kB/s | 3.3 kB 00:00 Package python3-regex available, but not installed. No match for argument: python3-regex Package boost-regex available, but not installed. No match for argument: boost-regex Error: No packages marked for reinstall. FEDORA-2022-41fa7610dd has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report. (In reply to Fedora Update System from comment #24) > FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35. > https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd I can confirm this fixed this problem. This did not fix the issue for me: # semodule -nBv Committing changes: Found conflicting filecon rules at /var/lib/selinux/targeted/tmp/modules/100/miscfiles/cil:46 at /var/lib/selinux/targeted/tmp/modules/200/cockpit/cil:919 Problems processing filecon rules Failed post db handling Post process failed semodule: Failed! neither did dnf reinstall python3-regex boost-regex Nor the update https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd The new improved update https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0 only contains semodule -nB so it's unlikely to fix this (In reply to Rudi from comment #28) > The new improved update > https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0 only contains > semodule -nB so it's unlikely to fix this I expect this update fixes all known problems, it may report the 4 error lines though in the dnf output. (In reply to Zdenek Pytela from comment #29) > (In reply to Rudi from comment #28) > > The new improved update > > https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0 only contains > > semodule -nB so it's unlikely to fix this > > I expect this update fixes all known problems, it may report the 4 error > lines though in the dnf output. It seems that you were right. The improved update fixes this bug for me as well! (In reply to Rudi from comment #30) > It seems that you were right. The improved update fixes this bug for me as > well! Thanks for confirming, a big relief. (In reply to Zdenek Pytela from comment #31) > (In reply to Rudi from comment #30) > > It seems that you were right. The improved update fixes this bug for me as > > well! > > Thanks for confirming, a big relief. The critical test is to first update to the latest selinux-policy, and then update the pcre2 packages. I just did that, and the test is a pass. The error message never showed. When pcre2 is already updated, the selinux policy will be re-generated anyway when updating selinux-policy, even without the fix. I just did a dnf update selinux-policy.
It ran ok.
Then I tried dnf update pcre2. nothing to update. Tried just dnf update and no pcre2 listed. ???
Then while I was doing this, I got the following error:
SELinux is preventing tumblerd from write access on the sock_file bus.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp
Additional Information:
Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context system_u:object_r:session_dbusd_tmp_t:s0
Target Objects bus [ sock_file ]
Source tumblerd
Source Path tumblerd
Port <Unknown>
Host lx140e.htt-consult.com
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch
Local Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name lx140e.htt-consult.com
Platform Linux lx140e.htt-consult.com
5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
UTC 2022 x86_64 x86_64
Alert Count 3
First Seen 2022-01-19 18:30:28 EST
Last Seen 2022-01-19 18:32:01 EST
Local ID efb2e4f1-0433-4b8f-9a60-37e76ac5d4af
Raw Audit Messages
type=AVC msg=audit(1642635121.61:3291): avc: denied { write } for pid=104237 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write
In fact, I keep getting this error, every couple minutes:
SELinux is preventing tumblerd from write access on the sock_file bus.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp
Additional Information:
Source Context unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context system_u:object_r:session_dbusd_tmp_t:s0
Target Objects bus [ sock_file ]
Source tumblerd
Source Path tumblerd
Port <Unknown>
Host lx140e.htt-consult.com
Source RPM Packages
Target RPM Packages
SELinux Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch
Local Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name lx140e.htt-consult.com
Platform Linux lx140e.htt-consult.com
5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
UTC 2022 x86_64 x86_64
Alert Count 7
First Seen 2022-01-19 18:30:28 EST
Last Seen 2022-01-19 18:36:59 EST
Local ID efb2e4f1-0433-4b8f-9a60-37e76ac5d4af
Raw Audit Messages
type=AVC msg=audit(1642635419.570:3307): avc: denied { write } for pid=104467 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0
Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write
I guess I need to report it as a separate bug...
(In reply to Robert Moskowitz from comment #33) > I just did a dnf update selinux-policy. > > It ran ok. > > Then I tried dnf update pcre2. nothing to update. Tried just dnf update and > no pcre2 listed. ??? > > Then while I was doing this, I got the following error: > > SELinux is preventing tumblerd from write access on the sock_file bus. > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that tumblerd should be allowed write access on the bus > sock_file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd > # semodule -X 300 -i my-tumblerd.pp > > Additional Information: > Source Context > unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 > Target Context system_u:object_r:session_dbusd_tmp_t:s0 > Target Objects bus [ sock_file ] > Source tumblerd > Source Path tumblerd > Port <Unknown> > Host lx140e.htt-consult.com > Source RPM Packages > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch > Local Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name lx140e.htt-consult.com > Platform Linux lx140e.htt-consult.com > 5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 > 16:49:27 > UTC 2022 x86_64 x86_64 > Alert Count 3 > First Seen 2022-01-19 18:30:28 EST > Last Seen 2022-01-19 18:32:01 EST > Local ID efb2e4f1-0433-4b8f-9a60-37e76ac5d4af > > Raw Audit Messages > type=AVC msg=audit(1642635121.61:3291): avc: denied { write } for > pid=104237 comm="tumblerd" name="bus" dev="tmpfs" ino=40 > scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file > permissive=0 > > > Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write > > In fact, I keep getting this error, every couple minutes: > > SELinux is preventing tumblerd from write access on the sock_file bus. > > ***** Plugin catchall (100. confidence) suggests > ************************** > > If you believe that tumblerd should be allowed write access on the bus > sock_file by default. > Then you should report this as a bug. > You can generate a local policy module to allow this access. > Do > allow this access for now by executing: > # ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd > # semodule -X 300 -i my-tumblerd.pp > > Additional Information: > Source Context > unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 > Target Context system_u:object_r:session_dbusd_tmp_t:s0 > Target Objects bus [ sock_file ] > Source tumblerd > Source Path tumblerd > Port <Unknown> > Host lx140e.htt-consult.com > Source RPM Packages > Target RPM Packages > SELinux Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch > Local Policy RPM selinux-policy-targeted-35.10-1.fc35.noarch > Selinux Enabled True > Policy Type targeted > Enforcing Mode Enforcing > Host Name lx140e.htt-consult.com > Platform Linux lx140e.htt-consult.com > 5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 > 16:49:27 > UTC 2022 x86_64 x86_64 > Alert Count 7 > First Seen 2022-01-19 18:30:28 EST > Last Seen 2022-01-19 18:36:59 EST > Local ID efb2e4f1-0433-4b8f-9a60-37e76ac5d4af > > Raw Audit Messages > type=AVC msg=audit(1642635419.570:3307): avc: denied { write } for > pid=104467 comm="tumblerd" name="bus" dev="tmpfs" ino=40 > scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file > permissive=0 > > > Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write > > I guess I need to report it as a separate bug... You are still using the old version 35.10-1. The selinux issues should be resolved in 35.11-1. The update is not yet pushed to stable, so dnf won't find it. If you need it sooner, you can manually download it from koji: https://koji.fedoraproject.org/koji/buildinfo?buildID=1879547 I have it still on Fedora 37: [root@puchatek grub2]# grub2-mkconfig -o grub.cfg Generating grub configuration file ... Regex version mismatch, expected: 10.40 2022-04-14 actual: 10.39 2021-10-29 <above line repeated 99 times> Adding boot menu entry for UEFI Firmware Settings ... done [root@puchatek grub2]# semodule -vB Committing changes: Ok: transaction number 8. [root@puchatek grub2]# grub2-mkconfig -o grub.cfg Generating grub configuration file ... Regex version mismatch, expected: 10.40 2022-04-14 actual: 10.39 2021-10-29 <above line repeated 99 times> Adding boot menu entry for UEFI Firmware Settings ... done [root@puchatek grub2]# rpm -qa|grep selinux-policy selinux-policy-37.12-2.fc37.noarch selinux-policy-minimum-37.12-2.fc37.noarch selinux-policy-targeted-37.12-2.fc37.noarch [root@puchatek grub2]# rpm -qa|grep pcre2 pcre2-syntax-10.40-1.fc37.1.noarch pcre2-10.40-1.fc37.1.x86_64 pcre2-utf32-10.40-1.fc37.1.x86_64 pcre2-utf16-10.40-1.fc37.1.x86_64 pcre2-devel-10.40-1.fc37.1.x86_64 pcre2-10.40-1.fc37.1.i686 Also in f38 :-( Regex version mismatch, expected: 10.42 2022-12-11 actual: 10.40 2022-04-14 #rpm -qa|grep selinux-policy selinux-policy-38.9-1.fc38.noarch selinux-policy-targeted-38.9-1.fc38.noarch selinux-policy-devel-38.9-1.fc38.noarch selinux-policy-doc-38.9-1.fc38.noarch # rpm -qa|grep pcre2 pcre2-syntax-10.42-1.fc38.1.noarch pcre2-10.42-1.fc38.1.x86_64 pcre2-utf16-10.42-1.fc38.1.x86_64 pcre2-utf32-10.42-1.fc38.1.x86_64 pcre2-devel-10.42-1.fc38.1.x86_64 pcre2-10.42-1.fc38.1.i686 Kim, can you please file a new bug against selinux-policy and link it here? Thanks! New bug no https://bugzilla.redhat.com/show_bug.cgi?id=2182648 as requested. |