Description of problem:
During a "dnf install" on a just installed fc27 I encountered this:
# dnf install <somepackage>
Last metadata expiration check: 0:04:38 ago on Fri 13 Oct 2017 07:17:42 PM CEST.
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
/etc/selinux/targeted/contexts/files/file_contexts.bin: line 1 error due to: Non-ASCII characters found
/etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin: line 1 error due to: Non-ASCII characters found
Version-Release number of selected component (if applicable):
This isn't new, I don't think, I was seeing it a while ago. Didn't get around to reporting it yet, but I don't think it's a reason to -1 the update.
(In reply to Adam Williamson from comment #1)
> This isn't new, I don't think, I was seeing it a while ago.
I was seeing it upon the 1st update of a brand new fc27 _install_ (Not update) on a brand new machine.
> Didn't get
> around to reporting it yet, but I don't think it's a reason to -1 the update.
What else if not seeing an error in an update of brand new install is a reason to -1 an update, in your opinon?
After testing FC27 on several machines, I know SElinux in FC27 very bugged and broken with this incident likely being one detail contributing to it.
"What else if not seeing an error in an update of brand new install is a reason to -1 an update, in your opinon?"
The thing is, I don't think the bug is in the update. It happens on updates that don't involve SELinux packages at all; it's happening, I think, as a consequence of some other operation that occurs during update / install of some other packages, possibly a scriptlet, possibly a trigger.
That's why I said it doesn't make sense to -1 the update, as I don't think the update to selinux-policy is actually the cause.
I've found five other reports of the same error, now I went and looked:
https://bugzilla.redhat.com/show_bug.cgi?id=1386180 (that one seems ppc64-specific)
https://bugzilla.redhat.com/show_bug.cgi?id=1394042 (has a plausible-sounding diagnosis)
https://bugzilla.redhat.com/show_bug.cgi?id=1364173 (involves local customization)
https://bugzilla.redhat.com/show_bug.cgi?id=1499883 (suggests it happens on useradd, which would explain why it happens with some package scriptlets)
None of those relates to this update. This should probably be made a dupe of one of them.
*** Bug 1386180 has been marked as a duplicate of this bug. ***
*** Bug 1394042 has been marked as a duplicate of this bug. ***
file_contexts.bin file is regenerated by sefcontext_compile utility every time policy is rebuilt, e.g. during update, after semodule -B, ... and this file contains pre compiled pcre regexes from file_contexts.
libselinux tries to open and read /etc/selinux/targeted/contexts/files/file_contexts.bin and when there's an error, it tries to open and read /etc/selinux/targeted/contexts/files/file_contexts.
So the error message has no real impact on functionality.
The reason why you can see usually on a fresh system and on live images is that file_contexts.bin is being generated during build. But while selinux-policy is noarch, compiled regexes in file_contexts.bin are architecture dependent. And when a build occurs on an architecture with different endianness the problem appears.
We're planning to drop .bin files from selinux-policy completely. Originally we added them when there were bugs in libselinux which prevented Anaconda and Atomic systems to work without such files. It's probably not the case anymore.
For Fedora 26 it would have a small performance impact on Live and Atomic systems. On Fedora 27, there's already an investigation  which says that .bin files doesn't improve performance when used with PCRE2 and SELinux userspace release 2.7.
Not shipping pre-built arch dependent .bin files in a noarch pkgs sounds like a good solution to me. But in the mean anyone doing almost anything selinux related from the cmdline is still getting these ugly errors, so can you please drop the .bin files in the next policy update ?
We have this in Fedora Rawhide already and back ported to the F27. This change will be part of the next selinux-policy update.
Marking CommonBugs, we should document this for OOTB F27 users.
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.