1. emerge =dev-libs/libpcre-8.33 2. run matchpathcon, restorecon ... # matchpathcon /sbin /sbin <<none>> # restorecon -Fv /sbin restorecon: Warning no default label for /sbin 3. emerge =dev-libs/libpcre-8.32-r1 4. run matchpathcon, restorecon ... # matchpathcon /sbin /sbin system_u:object_r:bin_t:s0 # restorecon -Fv /sbin Fine! # sestatus -v SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: mls Current mode: permissive Mode from config file: permissive Policy MLS status: enabled Policy deny_unknown status: denied Max kernel policy version: 28 Process contexts: Current context: root:sysadm_r:sysadm_t:s0-s15:c0.c1023 Init context: system_u:system_r:init_t:s0-s15:c0.c1023 /sbin/agetty system_u:system_r:getty_t:s0-s15:c0.c1023 /usr/sbin/sshd system_u:system_r:sshd_t:s0-s15:c0.c1023 File contexts: Controlling terminal: root:object_r:user_devpts_t:s0 /sbin/init system_u:object_r:init_exec_t:s0 /sbin/agetty system_u:object_r:getty_exec_t:s0 /bin/login system_u:object_r:login_exec_t:s0 /sbin/rc system_u:object_r:rc_exec_t:s0 /usr/sbin/sshd system_u:object_r:sshd_exec_t:s0 /sbin/unix_chkpwd system_u:object_r:chkpwd_exec_t:s0 /etc/passwd system_u:object_r:etc_t:s0 /etc/shadow system_u:object_r:shadow_t:s0 /bin/sh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /bin/bash system_u:object_r:shell_exec_t:s0 /bin/tcsh system_u:object_r:shell_exec_t:s0 /bin/csh system_u:object_r:bin_t:s0 -> system_u:object_r:shell_exec_t:s0 /usr/bin/newrole system_u:object_r:newrole_exec_t:s0 /usr/bin/gdm system_u:object_r:bin_t:s0 -> system_u:object_r:bin_t:s0 /lib/libc.so.6 system_u:object_r:lib_t:s0 -> system_u:object_r:lib_t:s0 /lib/ld-linux.so.2 system_u:object_r:lib_t:s0 -> system_u:object_r:ld_so_t:s0 Portage 2.2.0_alpha177 (hardened/linux/amd64/selinux, gcc-4.8.0, glibc-2.17, 3.9.4-pax.x86_64 x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.9.4-pax.x86_64-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-gentoo-2.2 KiB Mem: 6114248 total, 484508 free KiB Swap: 10484724 total, 10316496 free Timestamp of tree: Wed, 29 May 2013 15:15:01 +0000 ld GNU gold (GNU Binutils 2.23.2) 1.11 ccache version 3.1.9 [disabled] app-shells/bash: 4.2_p45 dev-java/java-config: 2.2.0 dev-lang/python: 2.5.4-r5, 2.6.8-r1, 2.7.5, 3.1.5-r1, 3.2.5, 3.3.2 dev-util/ccache: 3.1.9 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.13.2 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.6.4, 4.7.3, 4.8.0 sys-devel/gcc-config: 1.8 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo systemd hardened-dev custom Installed sets: @local ACCEPT_KEYWORDS="amd64 x86 ~amd64 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-Wall -Wextra -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/config /usr/share/gnupg/qualified.txt /usr/share/polkit-1/actions /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-Wall -Wextra -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" DISTDIR="/var/portage/distfiles" EMERGE_DEFAULT_OPTS="--keep-going" FCFLAGS="-Wall -Wextra -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" FEATURES="assume-digests binpkg-logs buildpkg collision-protect config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync multilib-strict news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms split-elog split-log splitdebug strict test test-fail-continue unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync webrsync-gpg xattr" FFLAGS="-Wall -Wextra -ggdb -march=native -pipe -O3 -fno-tree-vectorize -frecord-gcc-switches" GENTOO_MIRRORS="http://mirrors.163.com/gentoo http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu -Wl,--icf=safe" MAKEOPTS="V=1 -j10" PKGDIR="/var/portage/packages-amd64" PORTAGE_BZIP2_COMMAND="lbzip2" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_FLAGS="-9ef" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_EXTRA_OPTS="--ipv4" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/systemd /var/lib/layman/hardened-development /usr/local/portage" SYNC="rsync://mirrors.ustc.edu.cn/gentoo-portage" USE="X acl alsa amd64 audit bash-completion berkdb bzip2 c++0x cairo caps cli cracklib crypt custom-cflags cxx dbus dri ffmpeg gdbm gmp gnome gpm gtk gtk3 hardened iconv icu ipv6 jit jpeg jpeg2k justify lzma mmx modules mudflap multilib ncurses nls nptl open_perms opengl openmp orc pam pax_kernel pcre png pulseaudio qt4 readline selinux session sse sse2 ssl svg systemd tcpd threads tiff udev unicode urandom vim-syntax xattr xinetd zlib" ABI_X86="x32 32 64" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DRACUT_MODULES="btrfs caps dmsquash-live gensplash livenet lvm nfs ssh-client syslog systemd" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="en en_US zh zh_CN" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="pypy1_9 pypy2_0 python3_1 python3_2 python3_3 python2_5 python2_6 python2_7" QEMU_SOFTMMU_TARGETS="x86_64 arm mips64el ppc64" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nouveau nvidia" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" USE_PYTHON="2.7-pypy-1.9 2.7-pypy-2.0 3.1 3.2 3.3 2.5 2.6 2.7" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND ================================================================= Package Settings ================================================================= sys-libs/libselinux-2.1.13-r2 was built with the following: USE="(python) ruby -static-libs" RUBY_TARGETS="ruby18 ruby19" dev-libs/libpcre-8.33 was built with the following: USE="bzip2 cxx jit (multilib) readline recursion-limit (selinux) (unicode) zlib -libedit -pcre16 -pcre32 -static-libs"
Hiya @base-system Do you know of possible regressions in libpcre (or changes) that cause expressions to behave differently?
(In reply to Sven Vermeulen from comment #1) > Hiya @base-system > > Do you know of possible regressions in libpcre (or changes) that cause > expressions to behave differently? http://vcs.pcre.org/viewvc?view=revision&revision=1313
matchpathcon works fine with libpcre ( revision < 1313 ).
Sorry for taking this long, I've mailed the selinux mailinglist about it to see if this is a problem with libpcre or if the selinux tools are calling libpcre in the wrong way.
Taking it back, looks like its about missing precompiled expressions... @Alphat-PC, can you go to the /etc/selinux/*/contexts/files/ location and see if there are any *.bin files in there (like file_contexts.bin)? If there are, we should recompile those: # sefcontext_compile file_contexts This should rebuild the binary file, and hopefully fix the problem. Can you confirm this? If so, I'll need to see if/how we can trigger this (or document).
(In reply to Sven Vermeulen from comment #5) > Taking it back, looks like its about missing precompiled expressions... > > @Alphat-PC, can you go to the /etc/selinux/*/contexts/files/ location and > see if there are any *.bin files in there (like file_contexts.bin)? > > If there are, we should recompile those: > > # sefcontext_compile file_contexts > > This should rebuild the binary file, and hopefully fix the problem. Can you > confirm this? If so, I'll need to see if/how we can trigger this (or > document). Recompiling file_contexts.bin can help fix the problem! I recompile the refpolicy, everything is OK! Thanks!!!
Is there a way that we can have SELinux tooling still use the libpcre.so.0 one (assuming libpcre updates to libpcre.so.1 - basing myself on the ebuild here) until the user has rebuild the regular expressions? Or can we somehow hook in the setfiles process to rebuild the expressions if they are stale?
Guess not (yet). The approach is documented on https://wiki.gentoo.org/wiki/SELinux/FAQ so closing this one.
