Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 516608 - sys-apps/policycoreutils with dev-libs/libpcre-8.35 - segmentation fault in /usr/sbin/setfiles
Summary: sys-apps/policycoreutils with dev-libs/libpcre-8.35 - segmentation fault in /...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: SELinux (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: Sven Vermeulen (RETIRED)
URL:
Whiteboard: selinux-utils
Keywords:
: 517284 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-07-07 13:07 UTC by Lari Korpi
Modified: 2014-07-30 12:05 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
upstream patch to include pcre version (libselinux.patch,2.91 KB, patch)
2014-07-09 17:38 UTC, Sven Vermeulen (RETIRED)
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lari Korpi 2014-07-07 13:07:04 UTC
After merging dev-libs/libpcre-8.35 I started to get following errors:
>>> Installing (1 of 1) dev-libs/libpcre-8.35
 * checking 192 files for package collisions
>>> Merging dev-libs/libpcre-8.35 to /
>>> Setting SELinux security labels
/usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault      /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
 * ERROR: dev-libs/libpcre-8.35::gentoo failed:
 *   Failed to set SELinux security labels.
 *
 * Call stack:
 *   misc-functions.sh, line 1294:  Called preinst_selinux_labels
 *   misc-functions.sh, line 1132:  Called die
 * The specific snippet of code:
 *                      ) || die "Failed to set SELinux security labels."
 *
 * If you need support, post the output of `emerge --info '=dev-libs/libpcre-8.35::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=dev-libs/libpcre-8.35::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/environment'.
 * Working directory: '/usr/lib64/portage/pym'
 * S: '/var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35'
!!! post preinst failed; exiting.
!!! FAILED preinst: 1


Reproducible: Always

Steps to Reproduce:
1. emerge =dev-libs/libpcre-8.35
2. emerge =dev-libs/libpcre-8.35 (or anyother)

Actual Results:  
>>> Setting SELinux security labels
/usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault      /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}"
 * ERROR: dev-libs/libpcre-8.35::gentoo failed:
 *   Failed to set SELinux security labels.
 *
 * Call stack:
 *   misc-functions.sh, line 1294:  Called preinst_selinux_labels
 *   misc-functions.sh, line 1132:  Called die
 * The specific snippet of code:
 *                      ) || die "Failed to set SELinux security labels."
 *
 * If you need support, post the output of `emerge --info '=dev-libs/libpcre-8.35::gentoo'`,
 * the complete build log and the output of `emerge -pqv '=dev-libs/libpcre-8.35::gentoo'`.
 * The complete build log is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/build.log'.
 * The ebuild environment file is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/environment'.
 * Working directory: '/usr/lib64/portage/pym'
 * S: '/var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35'
!!! post preinst failed; exiting.
!!! FAILED preinst: 1

dmesg:
setfiles[23719]: segfault at 3e800 ip 00007f3cb8c349df sp 00007fff6de18670 error 4 in libpcre.so.1.2.3[7f3cb8c20000+41000]

Expected Results:  
>>> Installing (1 of 1) dev-libs/libpcre-8.33
 * checking 191 files for package collisions
>>> Merging dev-libs/libpcre-8.33 to /
>>> Setting SELinux security labels
--- /usr/
--- /usr/share/


Portage 2.2.8-r1 (hardened/linux/amd64/selinux, gcc-4.7.3, glibc-2.17, 3.10.0-gentoo x86_64)
=================================================================
System uname: Linux-3.10.0-gentoo-x86_64-AMD_A8-5600K_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2
KiB Mem:    16326976 total,    353924 free
KiB Swap:   83886072 total,  80556312 free
Timestamp of tree: Mon, 07 Jul 2014 12:15:01 +0000
ld GNU ld (GNU Binutils) 2.23.2
distcc 3.1 x86_64-pc-linux-gnu [disabled]
ccache version 3.1.9 [enabled]
app-shells/bash:          4.2_p45
dev-lang/python:          2.7.6, 3.3.3
dev-util/ccache:          3.1.9-r3
dev-util/cmake:           2.8.12.2
dev-util/pkgconfig:       0.28-r1
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.12.4
sys-apps/sandbox:         2.6-r1
sys-devel/autoconf:       2.69
sys-devel/automake:       1.11.6, 1.13.4
sys-devel/binutils:       2.23.2
sys-devel/gcc:            4.7.3-r1
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4.2
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.13 (virtual/os-headers)
sys-libs/glibc:           2.17
Repositories: gentoo x-portage
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=native -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=native -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="rsync://trumpetti.atm.tut.fi/gentoo/ ftp://trumpetti.atm.tut.fi/gentoo/ http://trumpetti.atm.tut.fi/gentoo/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j5"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.fi.gentoo.org/gentoo-portage"
USE="acl aio alsa amd64 audit avx berkdb bzip2 caps cli cracklib crypt curl cxx dbus dlz dri exif fdt fma fpm gd gdbm gmp hardened iconv ipv6 justify logrotate lvm lxc mmx modules multilib mysql ncurses nls nptl open_perms openmp openrc pam parted pax_kernel pcap pcre pdo peer_perms qemu rbd readline selinux session soap sse sse2 sse3 sse4 ssh ssl tci tcpd threads tor-hardening ubac unconfined unicode urandom vhost-net virt-network xattr xmlreader xmlwriter xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de fi" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php-5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 1 Graham E 2014-07-07 14:05:43 UTC
I can confirm I had the same issue with libpcre-8.35

Before:
matchpathcon /etc/
/etc    system_u:object_r:etc_t
After:
matchpathcon /etc/
/etc    system_u:object_r:lib_t

To get my system back to a usable state I needed to run:

FEATURES=-selinux emerge -av =libpcre-8.33

then

emerge -av =libpcre-8.33
Comment 2 Sean Santos 2014-07-07 16:05:07 UTC
I had the same issue. I had to mask =dev-libs/libpcre-8.35 and re-emerge libpcre with FEATURES="-selinux", then again normally, to get my system back on track.
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-08 15:56:37 UTC
A workaround is to rebuild the *.bin files in /etc/selinux/*/contexts/files:

~# cd /etc/selinux/strict/contexts/files
~# rm *.bin
~# sefcontext_compile file_contexts
~# sefcontext_compile file_contexts.homedirs
~# sefcontext_compile file_contexts.local

This isn't a good permanent solutino though, we need to find a way to either rebuild the *.bin files when libpcre does an update, patch userland so it ignores invalid *.bin files, remove *.bin files when libpcre updates, or something else.
Comment 4 Jason Zaman gentoo-dev 2014-07-08 16:13:46 UTC
(In reply to Sven Vermeulen from comment #3)
> A workaround is to rebuild the *.bin files in /etc/selinux/*/contexts/files:
> 
> ~# cd /etc/selinux/strict/contexts/files
> ~# rm *.bin
> ~# sefcontext_compile file_contexts
> ~# sefcontext_compile file_contexts.homedirs
> ~# sefcontext_compile file_contexts.local
> 
> This isn't a good permanent solutino though, we need to find a way to either
> rebuild the *.bin files when libpcre does an update, patch userland so it
> ignores invalid *.bin files, remove *.bin files when libpcre updates, or
> something else.

Is it possible to do those steps in pkg_postinst in the libpcre ebuild? It wouldn't be that pretty but it seems like it should work if pcre is the only package that causes the problem.

If the .bin files are not required then the safest would be to only rm *.bin and force a rebuild of the package to rebuild.
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-08 19:33:38 UTC
Let's ask ;)

@base-system - one of SELinux' packages (selinux-base) compiles regular expressions into binary files for speed enhancements (which for gentoo don't give major benefit, but other distributions do). However, when libpcre is updated, it seems that this binary representation becomes invalid. The code doesn't like that, and segfaults.

A workaround is to remove the binary compiled files when libpcre is updated, like in the pkg_postinst phase:

if use selinux ; then
  rm -f /etc/selinux/*/contexts/files/file_contexts*.bin
fi

The SELinux userspace falls back to the non-compiled files then, and everything works. If we try to fix this elsewhere, we have the problem that /any/ package installation fails due to the segmentation fault.

In the mean time I'm trying to figure out where the segfault occurs so the command can be caught and handled correctly...
Comment 6 Jason Zaman gentoo-dev 2014-07-08 22:27:34 UTC
I managed to get a proper backtrace after rebuilding enough things with debugging symbols. I have the core file, should I upload it here? I am not sure yet if the bug is in libpcre or libselinux. I need to look more, but in the mean time here is the backtrace. I have backed up the .bin files from the old and new pcre versions and can reliably trigger the segfault by running:

# setfiles -vF /etc/selinux/strict/contexts/files/file_contexts /home/jason/.config/libvirt/qemu/lib/
setfiles reset /home/jason/.config/libvirt/qemu/lib/ context staff_u:object_r:xdg_config_home_t->root:object_r:user_home_dir_t
Segmentation fault (core dumped)

It is segfaulting on this file:
# ls -alZ /home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock 
srwxr-xr-x. 1 jason users staff_u:object_r:xdg_config_home_t 0 Mar 11 16:18 /home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock=



(gdb) bt
#0  0x00000309ecc210b9 in match_ref (offset=64000, eptr=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", length=-1, md=0x3da93388c10, 
    caseless=0) at /var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35/pcre_exec.c:169
#1  0x00000309ecc283d2 in match (eptr=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", 
    ecode=0x309eda9cedc <Address 0x309eda9cedc out of bounds>, mstart=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", offset_top=0, 
    md=0x3da93388c10, eptrb=0x0, rdepth=0) at /var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35/pcre_exec.c:2751
#2  0x00000309ecc3b848 in pcre_exec (argument_re=0x309eda9ce2a, extra_data=0x309ed92a440, 
    subject=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", length=57, start_offset=0, options=0, offsets=0x0, offsetcount=0)
    at /var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35/pcre_exec.c:6941
#3  0x00000309ed66380d in lookup (rec=0x33370282f0, key=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", type=49645) at label_file.c:645
#4  0x00000309ed65e339 in selabel_lookup_common (rec=0x33370282f0, translating=0, key=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", 
    type=49645) at label.c:218
#5  0x00000309ed65e49b in selabel_lookup_raw (rec=0x33370282f0, con=0x3da93388f70, key=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", 
    type=49645) at label.c:251
#6  0x0000003334ad94fc in match (name=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", sb=0x333704c0f0, con=0x3da93388f70)
    at restore.c:101
#7  0x0000003334ad95e6 in restore (ftsent=0x333704c060, recurse=1) at restore.c:109
#8  0x0000003334ad9d55 in apply_spec (ftsent=0x333704c060, recurse=1) at restore.c:289
#9  0x0000003334ad9f6b in process_one (name=0x3337028c30 "/home/jason/.config/libvirt/qemu/lib/", recurse_this_path=1) at restore.c:349
#10 0x0000003334ada215 in process_one_realpath (name=0x3337028c30 "/home/jason/.config/libvirt/qemu/lib/", recurse=1) at restore.c:409
#11 0x0000003334ada139 in process_glob (name=0x3da9338a67a "/home/jason/.config/libvirt/qemu/lib/", recurse=1) at restore.c:388
#12 0x0000003334ad90a5 in main (argc=4, argv=0x3da9338a3b8) at setfiles.c:439
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-09 15:21:36 UTC
Checking with upstream @ http://marc.info/?l=selinux&m=140491890602694&w=2
Comment 8 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-09 15:45:43 UTC
Reassigning; going to split this bug and create a separate one for libpcre and base-system.
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-09 17:38:40 UTC
Created attachment 380502 [details, diff]
upstream patch to include pcre version

This patch provided by upstream adds in pcre version in the format.

The patch can be tested by placing it in /etc/portage/patches/sys-libs/libselinux (as we has epatch_user in our ebuilds). It does require that the *.bin files are once removed, I would add that to the libselinux ebuilds' pre_inst.
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-09 18:13:18 UTC
After exploring many options, I've decided to do with the following...

1. sys-libs/libselinux-2.3-r1 will be made available, which contains the upstream patch, and which will also recompile the *.bin files in /etc/selinux/*/contexts/files in the pkg_postinst() phase so that the old format (which might trigger segfaults) is no longer available on the system.

2. Post a message to SELinux users (blog-post and wiki) that the *.bin files can be removed to work around the failure currently.


I decided not to update libpcre to remove the *.bin files (which was an option) because libpcre is already stabilized for most architectures (so would need a revision bump and again stabilization period) and it is a work-around. For stable users, the issue is already there.
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-09 18:17:33 UTC
sys-libs/libselinux-2.3-r1 has been made available
Comment 12 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-09 19:30:30 UTC
libselinux-2.2.2-r5 has the same fix & workaround in it.
Comment 13 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-21 09:31:43 UTC
*** Bug 517284 has been marked as a duplicate of this bug. ***
Comment 14 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-21 09:42:01 UTC
Bug 517284 mentions that a pcre upgrade after libselinux-2.2.2-r5 was installed still gave breakage. I'll check if the sefcontext_compile in libselinux is or isn't performed as that *should* have prevented the failure...
Comment 15 Sven Vermeulen (RETIRED) gentoo-dev 2014-07-30 12:05:01 UTC
Both 2.2.2-r5 and 2.3 have been stabilized.