Bug 2318279

Summary: "dnf update" spends very long time setting file contexts in selinux related scriptlets fixfiles/restorecon
Product: [Fedora] Fedora Reporter: H.Janssen <hmmsjan>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 41CC: dwalsh, garrett, lvrabec, mmalik, plautrba, vmojzis
Target Milestone: ---Keywords: Desktop
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-12-16 17:15:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Screenshot
none
tar archive with relevant files. Note: contains system file. none

Description H.Janssen 2024-10-12 06:08:59 UTC 
Probably duplicate or regression, but I can't find the original anymore. Sorry.

Depending on installed packages and update packages, it might happen that a selinux-related scriplet runs for, in my case, 20 minutes on an old laptop.
This points to an erroneous the sed script in /sbin/fixfiles 

policycoreutils-3.7-3.fc41.x86_64

Reproducible: Always

Steps to Reproduce:
1.Backup relevant files and extract attached tar files
2.run fixfiles -C /var/run/rpm-state/file_contexts.pre check (or /var/tmp/fixfiles)
3.follow restorecon with strace -f or check output files generated by /var/tmp/fixfiles.
Actual Results:  
Whole /usr/* checked

Expected Results:  
Only relevant files checked

The action of the sed script in fixfiles is not what you expect, as shown in attached screenshot showing the action of the sed command before and after. 
Attached: screenshot and tar file containing the relevant files for "fixfiles"
Comment 1 H.Janssen 2024-10-12 06:10:05 UTC 
Created attachment 2051662 [details]
Screenshot
Comment 2 H.Janssen 2024-10-12 06:11:37 UTC 
Created attachment 2051663 [details]
tar archive with relevant files. Note: contains system file.
Comment 3 H.Janssen 2024-10-12 18:29:15 UTC 
Found it, duplicate of bug https://bugzilla.redhat.com/show_bug.cgi?id=1832327
But still alive in Fedora 41 beta.
Comment 4 H.Janssen 2024-10-12 19:20:35 UTC 
It looks like adding:

 -e 's|(^/.*/)s\?bin/(.*)|\1bin/\2\n\1sbin/\2|' \

on top of the chain solves the problem for my testset, mostly entries from the  container-selinux package.
But more testing needed.
Comment 5 Petr Lautrbach 2024-10-14 16:43:11 UTC 
It's not a real regression. It's just related to the recent change in selinux policy which touched rules related to /usr/s?bin/... which is poorly translated to /usr/* 
You should not experience the same problem after next selinux policy update.

' -e 's|(^/.*/)s\?bin/(.*)|\1bin/\2\n\1sbin/\2|' \' is a nice workaround trick which would help in this particular case. But it would not help when the policy would introduce a filecontext like '/usr/*.logs' or so. In this case the complete relabel of /usr would happen again.
Comment 6 H.Janssen 2024-10-15 06:53:01 UTC 
Thanks, I think I understand the problem. If SELinux processes a given file, it can match it's name against regexp's. In case of fixing the labels for a given regexp, you can only do it after reading the whole directory structure in memory, which costs time anyhow. No real solution possible, I'm afraid. Maybe a warning from the script what might be going on if a short search path is in  the list, so people are not confronted with a "hanging" post-install script.
Comment 7 Garrett M 2024-11-26 14:20:53 UTC 
*** Bug 2326999 has been marked as a duplicate of this bug. ***
Comment 8 Adam Williamson 2025-12-02 01:21:18 UTC 
This message is a reminder that Fedora Linux 41 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 41 on 2025-12-15.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '41'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 41 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.
Comment 9 Samyak Jain (RedHat) 2025-12-16 17:15:38 UTC 
Fedora Linux 41 entered end-of-life (EOL) status on 2025-12-15.

Fedora Linux 41 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.