Bug 2318279

Summary: "dnf update" spends very long time setting file contexts in selinux related scriptlets fixfiles/restorecon
Product: [Fedora] Fedora Reporter: H.Janssen <hmmsjan>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 41CC: dwalsh, garrett, lvrabec, mmalik, plautrba, vmojzis
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screenshot
none
tar archive with relevant files. Note: contains system file. none

Description H.Janssen 2024-10-12 06:08:59 UTC 
Probably duplicate or regression, but I can't find the original anymore. Sorry.

Depending on installed packages and update packages, it might happen that a selinux-related scriplet runs for, in my case, 20 minutes on an old laptop.
This points to an erroneous the sed script in /sbin/fixfiles 

policycoreutils-3.7-3.fc41.x86_64

Reproducible: Always

Steps to Reproduce:
1.Backup relevant files and extract attached tar files
2.run fixfiles -C /var/run/rpm-state/file_contexts.pre check (or /var/tmp/fixfiles)
3.follow restorecon with strace -f or check output files generated by /var/tmp/fixfiles.
Actual Results:  
Whole /usr/* checked

Expected Results:  
Only relevant files checked

The action of the sed script in fixfiles is not what you expect, as shown in attached screenshot showing the action of the sed command before and after. 
Attached: screenshot and tar file containing the relevant files for "fixfiles"
Comment 1 H.Janssen 2024-10-12 06:10:05 UTC 
Created attachment 2051662 [details]
Screenshot
Comment 2 H.Janssen 2024-10-12 06:11:37 UTC 
Created attachment 2051663 [details]
tar archive with relevant files. Note: contains system file.
Comment 3 H.Janssen 2024-10-12 18:29:15 UTC 
Found it, duplicate of bug https://bugzilla.redhat.com/show_bug.cgi?id=1832327
But still alive in Fedora 41 beta.
Comment 4 H.Janssen 2024-10-12 19:20:35 UTC 
It looks like adding:

 -e 's|(^/.*/)s\?bin/(.*)|\1bin/\2\n\1sbin/\2|' \

on top of the chain solves the problem for my testset, mostly entries from the  container-selinux package.
But more testing needed.
Comment 5 Petr Lautrbach 2024-10-14 16:43:11 UTC 
It's not a real regression. It's just related to the recent change in selinux policy which touched rules related to /usr/s?bin/... which is poorly translated to /usr/* 
You should not experience the same problem after next selinux policy update.

' -e 's|(^/.*/)s\?bin/(.*)|\1bin/\2\n\1sbin/\2|' \' is a nice workaround trick which would help in this particular case. But it would not help when the policy would introduce a filecontext like '/usr/*.logs' or so. In this case the complete relabel of /usr would happen again.
Comment 6 H.Janssen 2024-10-15 06:53:01 UTC 
Thanks, I think I understand the problem. If SELinux processes a given file, it can match it's name against regexp's. In case of fixing the labels for a given regexp, you can only do it after reading the whole directory structure in memory, which costs time anyhow. No real solution possible, I'm afraid. Maybe a warning from the script what might be going on if a short search path is in  the list, so people are not confronted with a "hanging" post-install script.
Comment 7 Garrett M 2024-11-26 14:20:53 UTC 
*** Bug 2326999 has been marked as a duplicate of this bug. ***