Bug 2013642 - udevadm warns on a new PCRE2 version: Regex version mismatch
Summary: udevadm warns on a new PCRE2 version: Regex version mismatch
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 35
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Zdenek Pytela
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 2041207 2041223 2041331 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-13 12:51 UTC by Petr Pisar
Modified: 2022-01-20 00:49 UTC (History)
42 users (show)

Fixed In Version: selinux-policy-35.10-1.fc35
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-01-19 02:11:22 UTC
Type: Bug


Attachments (Terms of Use)

Description Petr Pisar 2021-10-13 12:51:03 UTC
After upgrading pcre2 to 10.38, udevamd warns like this:

# udevadm 
Regex version mismatch, expected: 10.38 2021-10-01 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.38 2021-10-01 actual: 10.37 2021-05-26
Command verb required.

I recommend removing the version check because PCRE2 maintains compatibility well.

Affected package: systemd-udev-249.4-2.fc36.x86_64

Comment 1 Yu Watanabe 2021-10-13 12:58:33 UTC
The message is not from udevadm, but seems from libselinux.
I googled the message and found the following:
https://lore.kernel.org/selinux/20210816165459.1741490-1-zhangkelvin@google.com/

Comment 2 Valdis Kletnieks 2021-10-13 13:33:07 UTC
Confirming it's libselinux - restorecon, su, and at least one or two other program are issuing the same message.

Comment 3 Petr Pisar 2021-10-13 14:56:06 UTC
After reading the patch, I realized that PCRE2 does not guarantee internal representation of opaque structures holding a compiled regular expression. If libselinux stores them into a file and load them later from a different process, when PCRE2 library was upgraded in between, it could indeed cause problems. If this is the case, then libselinux should version the serialized expressions on its behalf and recompile them when run-time version of PCRE2 changes.

Comment 4 Petr Lautrbach 2021-10-15 09:14:48 UTC
I'm afraid libselinux can't recompile the files as a random process like restorecon doesn't have necessary permissions. But I guess libselinux could suggest a command which would fix it, e.g.

diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 2e28d0474d73..12a32473de06 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -189,7 +189,8 @@ static int load_mmap(FILE *fp, size_t len, struct selabel_handle *rec,
                str_buf[entry_len] = '\0';
                if ((strcmp(str_buf, reg_version) != 0)) {
                        COMPAT_LOG(SELINUX_ERROR,
-                               "Regex version mismatch, expected: %s actual: %s\n",
+                               "Regex version mismatch, expected: %s actual: %s\n"
+                               "Please run 'semodule -B' to recompile file context files\n",
                                reg_version, str_buf);
                        free(str_buf);
                        return -1;

Comment 5 Petr Pisar 2021-10-15 11:15:33 UTC
The check for a PCRE2 version is only a rough heuristic. The compiled expression structure does not change with every PCRE2 upstream release. And at the same time the structure can change with a downstream patch within the same PCRE2 version.

Would you rather find appealing adding an RPM file trigger to libselinux package on PCRE2 library file (%{_libdir}/libpcre2-8.so.*)? That trigger would execute "semodule -B".

Comment 6 Valdis Kletnieks 2021-10-15 22:28:33 UTC
(In reply to Petr Pisar from comment #5)
> Would you rather find appealing adding an RPM file trigger to libselinux
> package on PCRE2 library file (%{_libdir}/libpcre2-8.so.*)? That trigger
> would execute "semodule -B".

Hmm.. I didn't know RPM allowed setting triggers on files from another RPM. But if this works, this sounds like the right solution, at worst we run a not strictly necessary semodule -B, but it would guarantee that everything is in sync.

What happens if a sysadmin, for some reason, does a 'rpm -Uvh --force' of an earlier pcre2 version? Does the trigger pop then too?

Comment 7 Zbigniew Jędrzejewski-Szmek 2021-10-16 12:51:14 UTC
+1 for the file trigger. Strictly speaking, I think it should %transfiletrigger to do the thing only once per transaction.

> What happens if a sysadmin, for some reason, does a 'rpm -Uvh --force' of an earlier pcre2 version? Does the trigger pop then too?
Yes, filetriggers don't care whether you're upgrading or downgrading or adding or removing.

Comment 8 Petr Lautrbach 2021-10-18 12:38:55 UTC
selinux-policy.spec already contains:

%triggerin -- pcre
%{_sbindir}/selinuxenabled && %{_sbindir}/semodule -nB
exit 0

I guess this needs to be updated to pcre2

Comment 9 Petr Lautrbach 2021-10-18 12:48:57 UTC
https://src.fedoraproject.org/rpms/selinux-policy/pull-request/229

This would be a simple fix. But I guess using the file trigger we could make it even better.

Comment 10 Justin Albstmeijer 2022-01-16 10:54:40 UTC
Can I assume, I hit here the same issue? on Fedora 35 this is.


Running transaction
  Preparing        :                                                       1/1 
  Upgrading        : pcre2-syntax-10.39-1.fc35.noarch                     1/56 
  Upgrading        : mesa-libglapi-21.3.4-1.fc35.x86_64                   2/56 
  Upgrading        : cups-libs-1:2.3.3op2-12.fc35.x86_64                  3/56 
  Upgrading        : pam-1.5.2-7.fc35.x86_64                              4/56 
  Running scriptlet: pam-1.5.2-7.fc35.x86_64                              4/56 
  Upgrading        : cups-client-1:2.3.3op2-12.fc35.x86_64                5/56 
  Running scriptlet: cups-client-1:2.3.3op2-12.fc35.x86_64                5/56 
  Upgrading        : wireplumber-libs-0.4.7-2.fc35.x86_64                 6/56 
  Upgrading        : wireplumber-0.4.7-2.fc35.x86_64                      7/56 
  Upgrading        : python3-libs-3.10.1-3.fc35.x86_64                     8/56 
  Upgrading        : python3-3.10.1-3.fc35.x86_64                          9/56 
  Upgrading        : python-unversioned-command-3.10.1-3.fc35.noarch      10/56 
  Upgrading        : tigervnc-license-1.12.0-3.fc35.noarch                11/56 
  Upgrading        : mesa-libgbm-21.3.4-1.fc35.x86_64                     12/56 
  Upgrading        : mesa-filesystem-21.3.4-1.fc35.x86_64                 13/56 
  Upgrading        : mesa-dri-drivers-21.3.4-1.fc35.x86_64                14/56 
  Upgrading        : cups-filesystem-1:2.3.3op2-12.fc35.noarch            15/56 
  Upgrading        : cryptsetup-libs-2.4.3-1.fc35.x86_64                  16/56 
  Upgrading        : cryptsetup-2.4.3-1.fc35.x86_64                       17/56 
  Upgrading        : cups-1:2.3.3op2-12.fc35.x86_64                       18/56 
  Running scriptlet: cups-1:2.3.3op2-12.fc35.x86_64                       18/56 
  Upgrading        : tigervnc-server-minimal-1.12.0-3.fc35.x86_64         19/56 
  Upgrading        : mesa-libEGL-21.3.4-1.fc35.x86_64                     20/56 
  Upgrading        : cups-ipptool-1:2.3.3op2-12.fc35.x86_64               21/56 
  Upgrading        : mesa-libGL-21.3.4-1.fc35.x86_64                      22/56 
  Upgrading        : pcre2-10.39-1.fc35.x86_64                            23/56 
  Upgrading        : pcre2-utf16-10.39-1.fc35.x86_64                      24/56 
  Upgrading        : pcre2-utf32-10.39-1.fc35.x86_64                      25/56 
  Upgrading        : rubberband-2.0.0-2.fc35.x86_64                       26/56 
  Upgrading        : mesa-vulkan-drivers-21.3.4-1.fc35.x86_64             27/56 
  Upgrading        : mesa-libxatracker-21.3.4-1.fc35.x86_64               28/56 
  Running scriptlet: cups-1:2.3.3op2-11.fc35.x86_64                       29/56 
  Cleanup          : cups-1:2.3.3op2-11.fc35.x86_64                       29/56 
  Running scriptlet: cups-1:2.3.3op2-11.fc35.x86_64                       29/56 
  Cleanup          : tigervnc-server-minimal-1.11.0-14.fc35.x86_64        30/56 
  Cleanup          : cryptsetup-2.4.2-1.fc35.x86_64                       31/56 
  Cleanup          : mesa-dri-drivers-21.3.3-1.fc35.x86_64                32/56 
  Running scriptlet: cups-client-1:2.3.3op2-11.fc35.x86_64                33/56 
  Cleanup          : cups-client-1:2.3.3op2-11.fc35.x86_64                33/56 
  Running scriptlet: wireplumber-0.4.5-3.fc35.x86_64                      34/56 
  Cleanup          : wireplumber-0.4.5-3.fc35.x86_64                      34/56 
  Cleanup          : mesa-libGL-21.3.3-1.fc35.x86_64                      35/56 
  Cleanup          : mesa-libEGL-21.3.3-1.fc35.x86_64                     36/56 
  Cleanup          : cups-ipptool-1:2.3.3op2-11.fc35.x86_64               37/56 
  Cleanup          : python-unversioned-command-3.10.1-2.fc35.noarch      38/56 
  Cleanup          : python3-3.10.1-2.fc35.x86_64                         39/56 
  Cleanup          : pcre2-utf32-10.37-4.fc35.x86_64                      40/56 
  Cleanup          : pcre2-utf16-10.37-4.fc35.x86_64                      41/56 
  Cleanup          : pcre2-10.37-4.fc35.x86_64                            42/56 
  Cleanup          : pcre2-syntax-10.37-4.fc35.noarch                     43/56 
  Cleanup          : mesa-filesystem-21.3.3-1.fc35.x86_64                 44/56 
  Cleanup          : tigervnc-license-1.11.0-14.fc35.noarch               45/56 
  Cleanup          : cups-filesystem-1:2.3.3op2-11.fc35.noarch            46/56 
  Cleanup          : python3-libs-3.10.1-2.fc35.x86_64                    47/56 
  Cleanup          : cups-libs-1:2.3.3op2-11.fc35.x86_64                  48/56 
  Cleanup          : mesa-libgbm-21.3.3-1.fc35.x86_64                     49/56 
  Cleanup          : mesa-libglapi-21.3.3-1.fc35.x86_64                   50/56 
  Cleanup          : wireplumber-libs-0.4.5-3.fc35.x86_64                 51/56 
  Cleanup          : cryptsetup-libs-2.4.2-1.fc35.x86_64                  52/56 
  Cleanup          : pam-1.5.2-5.fc35.x86_64                              53/56 
  Cleanup          : rubberband-1.9.2-2.fc35.x86_64                       54/56 
  Cleanup          : mesa-vulkan-drivers-21.3.3-1.fc35.x86_64             55/56 
  Cleanup          : mesa-libxatracker-21.3.3-1.fc35.x86_64               56/56 
  Running scriptlet: pam-1.5.2-7.fc35.x86_64                              56/56 
  Running scriptlet: wireplumber-0.4.7-2.fc35.x86_64                      56/56 
  Running scriptlet: mesa-libxatracker-21.3.3-1.fc35.x86_64               56/56 
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26

Comment 11 grumpey0 2022-01-16 11:43:05 UTC
Same on Fedora 35
- libselinux version: 3.3-1.fc35   
Starting occuring after this update: 
Packages Altered:
    Upgrade  flatpak-1.12.3-1.fc35.x86_64                    @updates-testing
    Upgraded flatpak-1.12.2-1.fc35.x86_64                    @@System
    Upgrade  flatpak-libs-1.12.3-1.fc35.x86_64               @updates-testing
    Upgraded flatpak-libs-1.12.2-1.fc35.x86_64               @@System
    Upgrade  flatpak-selinux-1.12.3-1.fc35.noarch            @updates-testing
    Upgraded flatpak-selinux-1.12.2-1.fc35.noarch            @@System
    Upgrade  flatpak-session-helper-1.12.3-1.fc35.x86_64     @updates-testing
    Upgraded flatpak-session-helper-1.12.2-1.fc35.x86_64     @@System
    Upgrade  koji-1.27.1-1.fc35.noarch                       @updates-testing
    Upgraded koji-1.27.0-3.fc35.noarch                       @@System
    Upgrade  libibverbs-38.1-2.fc35.x86_64                   @updates-testing
    Upgraded libibverbs-38.1-1.fc35.x86_64                   @@System
    Upgrade  mesa-dri-drivers-21.3.4-1.fc35.i686             @updates-testing
    Upgraded mesa-dri-drivers-21.3.3-1.fc35.i686             @@System
    Upgrade  mesa-dri-drivers-21.3.4-1.fc35.x86_64           @updates-testing
    Upgraded mesa-dri-drivers-21.3.3-1.fc35.x86_64           @@System
    Upgrade  mesa-filesystem-21.3.4-1.fc35.i686              @updates-testing
    Upgraded mesa-filesystem-21.3.3-1.fc35.i686              @@System
    Upgrade  mesa-filesystem-21.3.4-1.fc35.x86_64            @updates-testing
    Upgraded mesa-filesystem-21.3.3-1.fc35.x86_64            @@System
    Upgrade  mesa-libEGL-21.3.4-1.fc35.x86_64                @updates-testing
    Upgraded mesa-libEGL-21.3.3-1.fc35.x86_64                @@System
    Upgrade  mesa-libGL-21.3.4-1.fc35.i686                   @updates-testing
    Upgraded mesa-libGL-21.3.3-1.fc35.i686                   @@System
    Upgrade  mesa-libGL-21.3.4-1.fc35.x86_64                 @updates-testing
    Upgraded mesa-libGL-21.3.3-1.fc35.x86_64                 @@System
    Upgrade  mesa-libgbm-21.3.4-1.fc35.x86_64                @updates-testing
    Upgraded mesa-libgbm-21.3.3-1.fc35.x86_64                @@System
    Upgrade  mesa-libglapi-21.3.4-1.fc35.i686                @updates-testing
    Upgraded mesa-libglapi-21.3.3-1.fc35.i686                @@System
    Upgrade  mesa-libglapi-21.3.4-1.fc35.x86_64              @updates-testing
    Upgraded mesa-libglapi-21.3.3-1.fc35.x86_64              @@System
    Upgrade  mesa-vulkan-drivers-21.3.4-1.fc35.i686          @updates-testing
    Upgraded mesa-vulkan-drivers-21.3.3-1.fc35.i686          @@System
    Upgrade  mesa-vulkan-drivers-21.3.4-1.fc35.x86_64        @updates-testing
    Upgraded mesa-vulkan-drivers-21.3.3-1.fc35.x86_64        @@System
    Upgrade  pam-1.5.2-7.fc35.x86_64                         @updates-testing
    Upgraded pam-1.5.2-5.fc35.x86_64                         @@System
    Upgrade  pcre2-10.39-1.fc35.i686                         @updates-testing
    Upgraded pcre2-10.37-4.fc35.i686                         @@System
    Upgrade  pcre2-10.39-1.fc35.x86_64                       @updates-testing
    Upgraded pcre2-10.37-4.fc35.x86_64                       @@System
    Upgrade  pcre2-syntax-10.39-1.fc35.noarch                @updates-testing
    Upgraded pcre2-syntax-10.37-4.fc35.noarch                @@System
    Upgrade  pcre2-utf16-10.39-1.fc35.x86_64                 @updates-testing
    Upgraded pcre2-utf16-10.37-4.fc35.x86_64                 @@System
    Upgrade  python3-koji-1.27.1-1.fc35.noarch               @updates-testing
    Upgraded python3-koji-1.27.0-3.fc35.noarch               @@System
    Upgrade  python3-rpm-4.17.0-3.fc35.x86_64                @updates-testing
    Upgraded python3-rpm-4.17.0-1.fc35.x86_64                @@System
    Upgrade  rpm-4.17.0-3.fc35.x86_64                        @updates-testing
    Upgraded rpm-4.17.0-1.fc35.x86_64                        @@System
    Upgrade  rpm-build-4.17.0-3.fc35.x86_64                  @updates-testing
    Upgraded rpm-build-4.17.0-1.fc35.x86_64                  @@System
    Upgrade  rpm-build-libs-4.17.0-3.fc35.x86_64             @updates-testing
    Upgraded rpm-build-libs-4.17.0-1.fc35.x86_64             @@System
    Upgrade  rpm-libs-4.17.0-3.fc35.x86_64                   @updates-testing
    Upgraded rpm-libs-4.17.0-1.fc35.x86_64                   @@System
    Upgrade  rpm-plugin-selinux-4.17.0-3.fc35.x86_64         @updates-testing
    Upgraded rpm-plugin-selinux-4.17.0-1.fc35.x86_64         @@System
    Upgrade  rpm-plugin-systemd-inhibit-4.17.0-3.fc35.x86_64 @updates-testing
    Upgraded rpm-plugin-systemd-inhibit-4.17.0-1.fc35.x86_64 @@System
    Upgrade  rpm-sign-libs-4.17.0-3.fc35.x86_64              @updates-testing
    Upgraded rpm-sign-libs-4.17.0-1.fc35.x86_64              @@System
    Upgrade  wireplumber-0.4.7-2.fc35.x86_64                 @updates-testing
    Upgraded wireplumber-0.4.7-1.fc35.x86_64                 @@System
    Upgrade  wireplumber-libs-0.4.7-2.fc35.x86_64            @updates-testing
    Upgraded wireplumber-libs-0.4.7-1.fc35.x86_64            @@System
Scriptlet output:
   1 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   2 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   3 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   4 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26

Comment 12 Robert Moskowitz 2022-01-16 16:39:52 UTC
I got this error, also, this morning after a 'dnf update' then system power cycle on Fedora 35.

Comment 13 Syaifur Rizal 2022-01-16 22:53:00 UTC
(In reply to Robert Moskowitz from comment #12)
> I got this error, also, this morning after a 'dnf update' then system power
> cycle on Fedora 35.

I'm not sure, but by running `sudo dnf reinstall python3-regex boost-regex` fix the problem. At least for now.

Comment 14 Petr Lautrbach 2022-01-17 08:11:08 UTC
*** Bug 2041331 has been marked as a duplicate of this bug. ***

Comment 15 Petr Lautrbach 2022-01-17 08:13:32 UTC
Run this command to suppress the error message:

# semodule -nB

Comment 16 Zdenek Pytela 2022-01-17 09:27:43 UTC
There will be a new selinux-policy build addressing this problem soon.

Comment 17 Zdenek Pytela 2022-01-17 09:27:58 UTC
*** Bug 2041223 has been marked as a duplicate of this bug. ***

Comment 18 Vitaly Zaitsev 2022-01-17 15:47:27 UTC
Can confirm this:

Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26

Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26

Comment 19 Zdenek Pytela 2022-01-17 15:48:01 UTC
*** Bug 2041207 has been marked as a duplicate of this bug. ***

Comment 20 Villy Kruse 2022-01-17 19:09:44 UTC
(In reply to Petr Pisar from comment #5)
> The check for a PCRE2 version is only a rough heuristic. The compiled
> expression structure does not change with every PCRE2 upstream release. And
> at the same time the structure can change with a downstream patch within the
> same PCRE2 version.
> 
> Would you rather find appealing adding an RPM file trigger to libselinux
> package on PCRE2 library file (%{_libdir}/libpcre2-8.so.*)? That trigger
> would execute "semodule -B".

I wish there were a comment in the spec file that explains why the selinux policy needs to be re-compiled.
That was for a long time a mystery for me.

Comment 21 Geraldo Simião 2022-01-17 20:46:23 UTC
confirm this, here too:
    Upgrade  pcre2-10.39-1.fc35.x86_64                       @updates-testing
    Upgraded pcre2-10.37-4.fc35.x86_64                       @@System
    Upgrade  pcre2-syntax-10.39-1.fc35.noarch                @updates-testing
    Upgraded pcre2-syntax-10.37-4.fc35.noarch                @@System
    Upgrade  pcre2-utf16-10.39-1.fc35.x86_64                 @updates-testing
    Upgraded pcre2-utf16-10.37-4.fc35.x86_64                 @@System
    Upgrade  pcre2-utf32-10.39-1.fc35.x86_64                 @updates-testing
    Upgraded pcre2-utf32-10.37-4.fc35.x86_64                 @@System
    Upgrade  python3-koji-1.27.1-1.fc35.noarch               @updates-testing
    Upgraded python3-koji-1.27.0-3.fc35.noarch               @@System
    Upgrade  python3-rpm-4.17.0-3.fc35.x86_64                @updates-testing
    Upgraded python3-rpm-4.17.0-1.fc35.x86_64                @@System
    Upgrade  rpm-4.17.0-3.fc35.x86_64                        @updates-testing
    Upgraded rpm-4.17.0-1.fc35.x86_64                        @@System
    Upgrade  rpm-build-libs-4.17.0-3.fc35.x86_64             @updates-testing
    Upgraded rpm-build-libs-4.17.0-1.fc35.x86_64             @@System
    Upgrade  rpm-libs-4.17.0-3.fc35.x86_64                   @updates-testing
    Upgraded rpm-libs-4.17.0-1.fc35.x86_64                   @@System
    Upgrade  rpm-plugin-selinux-4.17.0-3.fc35.x86_64         @updates-testing
    Upgraded rpm-plugin-selinux-4.17.0-1.fc35.x86_64         @@System
    Upgrade  rpm-plugin-systemd-inhibit-4.17.0-3.fc35.x86_64 @updates-testing
    Upgraded rpm-plugin-systemd-inhibit-4.17.0-1.fc35.x86_64 @@System
    Upgrade  rpm-sign-libs-4.17.0-3.fc35.x86_64              @updates-testing
    Upgraded rpm-sign-libs-4.17.0-1.fc35.x86_64              @@System
    Upgrade  tigervnc-license-1.12.0-3.fc35.noarch           @updates-testing
    Upgraded tigervnc-license-1.11.0-14.fc35.noarch          @@System
    Upgrade  tigervnc-server-minimal-1.12.0-3.fc35.x86_64    @updates-testing
    Upgraded tigervnc-server-minimal-1.11.0-14.fc35.x86_64   @@System
    Upgrade  wireplumber-0.4.7-2.fc35.x86_64                 @updates-testing
    Upgraded wireplumber-0.4.7-1.fc35.x86_64                 @@System
    Upgrade  wireplumber-libs-0.4.7-2.fc35.x86_64            @updates-testing
    Upgraded wireplumber-libs-0.4.7-1.fc35.x86_64            @@System

Saída do scriptlet:
   1 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   2 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   3 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   4 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   5 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26
   6 Regex version mismatch, expected: 10.39 2021-10-29 actual: 10.37 2021-05-26


Operating System: Fedora Linux 35
KDE Plasma Version: 5.23.4
KDE Frameworks Version: 5.90.0
Qt Version: 5.15.2
Kernel Version: 5.16.1-200.fc35.x86_64 (64-bit)

rpm -qa|grep pcre2
pcre2-debugsource-10.37-4.fc35.x86_64
pcre2-debuginfo-10.37-4.fc35.x86_64
pcre2-syntax-10.39-1.fc35.noarch
pcre2-10.39-1.fc35.x86_64
pcre2-utf16-10.39-1.fc35.x86_64
pcre2-utf32-10.39-1.fc35.x86_64

python3-regex-2021.11.10-1.fc35.x86_64

Comment 22 Ferry Huberts 2022-01-17 21:22:08 UTC
I have this to, shows up every time I do a 'su -'.

Comment 23 Syaifur Rizal 2022-01-18 05:10:22 UTC
Without running `semodule -nB` and just running `sudo dnf reinstall python3-regex boost-regex` until now the messages doesn't show up again when I upgrade, install, or running `su -`.

I guess the python3 regex package get messed up when last time I installing something with `pip install`.

Comment 24 Fedora Update System 2022-01-18 10:09:37 UTC
FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd

Comment 25 Marcus Summers 2022-01-18 19:01:33 UTC
(In reply to Syaifur Rizal from comment #23)
> Without running `semodule -nB` and just running `sudo dnf reinstall
> python3-regex boost-regex` until now the messages doesn't show up again when
> I upgrade, install, or running `su -`.
> 
> I guess the python3 regex package get messed up when last time I installing
> something with `pip install`.

This is not a solution for me as I have neither of those packages installed.

# dnf reinstall python3-regex boost-regex
DigitalOcean Agent                               38 kB/s | 3.3 kB     00:00
DigitalOcean Droplet Agent                       39 kB/s | 3.3 kB     00:00
Package python3-regex available, but not installed.
No match for argument: python3-regex
Package boost-regex available, but not installed.
No match for argument: boost-regex
Error: No packages marked for reinstall.

Comment 26 Fedora Update System 2022-01-19 02:11:22 UTC
FEDORA-2022-41fa7610dd has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 27 Kamil Páral 2022-01-19 09:21:42 UTC
(In reply to Fedora Update System from comment #24)
> FEDORA-2022-41fa7610dd has been submitted as an update to Fedora 35.
> https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd

I can confirm this fixed this problem.

Comment 28 Rudi 2022-01-19 19:10:24 UTC
This did not fix the issue for me:
# semodule -nBv 
Committing changes:
Found conflicting filecon rules
  at /var/lib/selinux/targeted/tmp/modules/100/miscfiles/cil:46
  at /var/lib/selinux/targeted/tmp/modules/200/cockpit/cil:919
Problems processing filecon rules
Failed post db handling
Post process failed
semodule:  Failed!

neither did
dnf reinstall python3-regex boost-regex

Nor the update https://bodhi.fedoraproject.org/updates/FEDORA-2022-41fa7610dd
The new improved update https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0 only contains semodule -nB so it's unlikely to fix this

Comment 29 Zdenek Pytela 2022-01-19 19:19:23 UTC
(In reply to Rudi from comment #28)
> The new improved update
> https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0 only contains
> semodule -nB so it's unlikely to fix this

I expect this update fixes all known problems, it may report the 4 error lines though in the dnf output.

Comment 30 Rudi 2022-01-19 20:47:43 UTC
(In reply to Zdenek Pytela from comment #29)
> (In reply to Rudi from comment #28)
> > The new improved update
> > https://bodhi.fedoraproject.org/updates/FEDORA-2022-87a0b7e8d0 only contains
> > semodule -nB so it's unlikely to fix this
> 
> I expect this update fixes all known problems, it may report the 4 error
> lines though in the dnf output.

It seems that you were right. The improved update fixes this bug for me as well!

Comment 31 Zdenek Pytela 2022-01-19 21:19:46 UTC
(In reply to Rudi from comment #30)
> It seems that you were right. The improved update fixes this bug for me as
> well!

Thanks for confirming, a big relief.

Comment 32 Villy Kruse 2022-01-19 22:12:14 UTC
(In reply to Zdenek Pytela from comment #31)
> (In reply to Rudi from comment #30)
> > It seems that you were right. The improved update fixes this bug for me as
> > well!
> 
> Thanks for confirming, a big relief.

The critical test is to first update to the latest selinux-policy, and then update the pcre2 packages.
I just did that, and the test is a pass.  The error message never showed.

When pcre2 is already updated, the selinux policy will be re-generated anyway when updating selinux-policy, even without the fix.

Comment 33 Robert Moskowitz 2022-01-19 23:38:36 UTC
I just did a dnf update selinux-policy.

It ran ok.

Then I tried dnf update pcre2. nothing to update.  Tried just dnf update and no pcre2 listed.  ???

Then while I was doing this, I got the following error:

SELinux is preventing tumblerd from write access on the sock_file bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:session_dbusd_tmp_t:s0
Target Objects                bus [ sock_file ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.10-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.10-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com
                              5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
                              UTC 2022 x86_64 x86_64
Alert Count                   3
First Seen                    2022-01-19 18:30:28 EST
Last Seen                     2022-01-19 18:32:01 EST
Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af

Raw Audit Messages
type=AVC msg=audit(1642635121.61:3291): avc:  denied  { write } for  pid=104237 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0


Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write

In fact, I keep getting this error, every couple minutes:

SELinux is preventing tumblerd from write access on the sock_file bus.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that tumblerd should be allowed write access on the bus sock_file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
# semodule -X 300 -i my-tumblerd.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
Target Context                system_u:object_r:session_dbusd_tmp_t:s0
Target Objects                bus [ sock_file ]
Source                        tumblerd
Source Path                   tumblerd
Port                          <Unknown>
Host                          lx140e.htt-consult.com
Source RPM Packages           
Target RPM Packages           
SELinux Policy RPM            selinux-policy-targeted-35.10-1.fc35.noarch
Local Policy RPM              selinux-policy-targeted-35.10-1.fc35.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     lx140e.htt-consult.com
Platform                      Linux lx140e.htt-consult.com
                              5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11 16:49:27
                              UTC 2022 x86_64 x86_64
Alert Count                   7
First Seen                    2022-01-19 18:30:28 EST
Last Seen                     2022-01-19 18:36:59 EST
Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af

Raw Audit Messages
type=AVC msg=audit(1642635419.570:3307): avc:  denied  { write } for  pid=104467 comm="tumblerd" name="bus" dev="tmpfs" ino=40 scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023 tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file permissive=0


Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write

I guess I need to report it as a separate bug...

Comment 34 Rudi 2022-01-20 00:49:46 UTC
(In reply to Robert Moskowitz from comment #33)
> I just did a dnf update selinux-policy.
> 
> It ran ok.
> 
> Then I tried dnf update pcre2. nothing to update.  Tried just dnf update and
> no pcre2 listed.  ???
> 
> Then while I was doing this, I got the following error:
> 
> SELinux is preventing tumblerd from write access on the sock_file bus.
> 
> *****  Plugin catchall (100. confidence) suggests  
> **************************
> 
> If you believe that tumblerd should be allowed write access on the bus
> sock_file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
> # semodule -X 300 -i my-tumblerd.pp
> 
> Additional Information:
> Source Context               
> unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:session_dbusd_tmp_t:s0
> Target Objects                bus [ sock_file ]
> Source                        tumblerd
> Source Path                   tumblerd
> Port                          <Unknown>
> Host                          lx140e.htt-consult.com
> Source RPM Packages           
> Target RPM Packages           
> SELinux Policy RPM            selinux-policy-targeted-35.10-1.fc35.noarch
> Local Policy RPM              selinux-policy-targeted-35.10-1.fc35.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     lx140e.htt-consult.com
> Platform                      Linux lx140e.htt-consult.com
>                               5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11
> 16:49:27
>                               UTC 2022 x86_64 x86_64
> Alert Count                   3
> First Seen                    2022-01-19 18:30:28 EST
> Last Seen                     2022-01-19 18:32:01 EST
> Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af
> 
> Raw Audit Messages
> type=AVC msg=audit(1642635121.61:3291): avc:  denied  { write } for 
> pid=104237 comm="tumblerd" name="bus" dev="tmpfs" ino=40
> scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file
> permissive=0
> 
> 
> Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write
> 
> In fact, I keep getting this error, every couple minutes:
> 
> SELinux is preventing tumblerd from write access on the sock_file bus.
> 
> *****  Plugin catchall (100. confidence) suggests  
> **************************
> 
> If you believe that tumblerd should be allowed write access on the bus
> sock_file by default.
> Then you should report this as a bug.
> You can generate a local policy module to allow this access.
> Do
> allow this access for now by executing:
> # ausearch -c 'tumblerd' --raw | audit2allow -M my-tumblerd
> # semodule -X 300 -i my-tumblerd.pp
> 
> Additional Information:
> Source Context               
> unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
> Target Context                system_u:object_r:session_dbusd_tmp_t:s0
> Target Objects                bus [ sock_file ]
> Source                        tumblerd
> Source Path                   tumblerd
> Port                          <Unknown>
> Host                          lx140e.htt-consult.com
> Source RPM Packages           
> Target RPM Packages           
> SELinux Policy RPM            selinux-policy-targeted-35.10-1.fc35.noarch
> Local Policy RPM              selinux-policy-targeted-35.10-1.fc35.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     lx140e.htt-consult.com
> Platform                      Linux lx140e.htt-consult.com
>                               5.15.14-200.fc35.x86_64 #1 SMP Tue Jan 11
> 16:49:27
>                               UTC 2022 x86_64 x86_64
> Alert Count                   7
> First Seen                    2022-01-19 18:30:28 EST
> Last Seen                     2022-01-19 18:36:59 EST
> Local ID                      efb2e4f1-0433-4b8f-9a60-37e76ac5d4af
> 
> Raw Audit Messages
> type=AVC msg=audit(1642635419.570:3307): avc:  denied  { write } for 
> pid=104467 comm="tumblerd" name="bus" dev="tmpfs" ino=40
> scontext=unconfined_u:unconfined_r:thumb_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:session_dbusd_tmp_t:s0 tclass=sock_file
> permissive=0
> 
> 
> Hash: tumblerd,thumb_t,session_dbusd_tmp_t,sock_file,write
> 
> I guess I need to report it as a separate bug...

You are still using the old version 35.10-1. The selinux issues should be resolved in 35.11-1. The update is not yet pushed to stable, so dnf won't find it. If you need it sooner, you can manually download it from koji:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1879547


Note You need to log in before you can comment on or make changes to this bug.