After merging dev-libs/libpcre-8.35 I started to get following errors: >>> Installing (1 of 1) dev-libs/libpcre-8.35 * checking 192 files for package collisions >>> Merging dev-libs/libpcre-8.35 to / >>> Setting SELinux security labels /usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}" * ERROR: dev-libs/libpcre-8.35::gentoo failed: * Failed to set SELinux security labels. * * Call stack: * misc-functions.sh, line 1294: Called preinst_selinux_labels * misc-functions.sh, line 1132: Called die * The specific snippet of code: * ) || die "Failed to set SELinux security labels." * * If you need support, post the output of `emerge --info '=dev-libs/libpcre-8.35::gentoo'`, * the complete build log and the output of `emerge -pqv '=dev-libs/libpcre-8.35::gentoo'`. * The complete build log is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/environment'. * Working directory: '/usr/lib64/portage/pym' * S: '/var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35' !!! post preinst failed; exiting. !!! FAILED preinst: 1 Reproducible: Always Steps to Reproduce: 1. emerge =dev-libs/libpcre-8.35 2. emerge =dev-libs/libpcre-8.35 (or anyother) Actual Results: >>> Setting SELinux security labels /usr/lib64/portage/bin/misc-functions.sh: line 1112: 23719 Segmentation fault /usr/sbin/setfiles "${file_contexts_path}" -r "${D}" "${D}" * ERROR: dev-libs/libpcre-8.35::gentoo failed: * Failed to set SELinux security labels. * * Call stack: * misc-functions.sh, line 1294: Called preinst_selinux_labels * misc-functions.sh, line 1132: Called die * The specific snippet of code: * ) || die "Failed to set SELinux security labels." * * If you need support, post the output of `emerge --info '=dev-libs/libpcre-8.35::gentoo'`, * the complete build log and the output of `emerge -pqv '=dev-libs/libpcre-8.35::gentoo'`. * The complete build log is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/build.log'. * The ebuild environment file is located at '/var/tmp/portage/dev-libs/libpcre-8.35/temp/environment'. * Working directory: '/usr/lib64/portage/pym' * S: '/var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35' !!! post preinst failed; exiting. !!! FAILED preinst: 1 dmesg: setfiles[23719]: segfault at 3e800 ip 00007f3cb8c349df sp 00007fff6de18670 error 4 in libpcre.so.1.2.3[7f3cb8c20000+41000] Expected Results: >>> Installing (1 of 1) dev-libs/libpcre-8.33 * checking 191 files for package collisions >>> Merging dev-libs/libpcre-8.33 to / >>> Setting SELinux security labels --- /usr/ --- /usr/share/ Portage 2.2.8-r1 (hardened/linux/amd64/selinux, gcc-4.7.3, glibc-2.17, 3.10.0-gentoo x86_64) ================================================================= System uname: Linux-3.10.0-gentoo-x86_64-AMD_A8-5600K_APU_with_Radeon-tm-_HD_Graphics-with-gentoo-2.2 KiB Mem: 16326976 total, 353924 free KiB Swap: 83886072 total, 80556312 free Timestamp of tree: Mon, 07 Jul 2014 12:15:01 +0000 ld GNU ld (GNU Binutils) 2.23.2 distcc 3.1 x86_64-pc-linux-gnu [disabled] ccache version 3.1.9 [enabled] app-shells/bash: 4.2_p45 dev-lang/python: 2.7.6, 3.3.3 dev-util/ccache: 3.1.9-r3 dev-util/cmake: 2.8.12.2 dev-util/pkgconfig: 0.28-r1 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.12.4 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.69 sys-devel/automake: 1.11.6, 1.13.4 sys-devel/binutils: 2.23.2 sys-devel/gcc: 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.13 (virtual/os-headers) sys-libs/glibc: 2.17 Repositories: gentoo x-portage ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=native -O2 -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt /var/bind" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-march=native -O2 -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs ccache config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch preserve-libs protect-owned sandbox selinux sesandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync xattr" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="rsync://trumpetti.atm.tut.fi/gentoo/ ftp://trumpetti.atm.tut.fi/gentoo/ http://trumpetti.atm.tut.fi/gentoo/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.fi.gentoo.org/gentoo-portage" USE="acl aio alsa amd64 audit avx berkdb bzip2 caps cli cracklib crypt curl cxx dbus dlz dri exif fdt fma fpm gd gdbm gmp hardened iconv ipv6 justify logrotate lvm lxc mmx modules multilib mysql ncurses nls nptl open_perms openmp openrc pam parted pax_kernel pcap pcre pdo peer_perms qemu rbd readline selinux session soap sse sse2 sse3 sse4 ssh ssl tci tcpd threads tor-hardening ubac unconfined unicode urandom vhost-net virt-network xattr xmlreader xmlwriter xtpax zlib" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_core authn_dbm authn_file authz_core authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir env expires ext_filter file_cache filter headers include info log_config logio mime mime_magic negotiation rewrite setenvif socache_shmcb speling status unique_id unixd userdir usertrack vhost_alias" APACHE2_MPMS="worker" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ublox ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LINGUAS="de fi" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php-5-3" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_3" QEMU_SOFTMMU_TARGETS="i386 x86_64" QEMU_USER_TARGETS="i386 x86_64" RUBY_TARGETS="ruby19 ruby20" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
I can confirm I had the same issue with libpcre-8.35 Before: matchpathcon /etc/ /etc system_u:object_r:etc_t After: matchpathcon /etc/ /etc system_u:object_r:lib_t To get my system back to a usable state I needed to run: FEATURES=-selinux emerge -av =libpcre-8.33 then emerge -av =libpcre-8.33
I had the same issue. I had to mask =dev-libs/libpcre-8.35 and re-emerge libpcre with FEATURES="-selinux", then again normally, to get my system back on track.
A workaround is to rebuild the *.bin files in /etc/selinux/*/contexts/files: ~# cd /etc/selinux/strict/contexts/files ~# rm *.bin ~# sefcontext_compile file_contexts ~# sefcontext_compile file_contexts.homedirs ~# sefcontext_compile file_contexts.local This isn't a good permanent solutino though, we need to find a way to either rebuild the *.bin files when libpcre does an update, patch userland so it ignores invalid *.bin files, remove *.bin files when libpcre updates, or something else.
(In reply to Sven Vermeulen from comment #3) > A workaround is to rebuild the *.bin files in /etc/selinux/*/contexts/files: > > ~# cd /etc/selinux/strict/contexts/files > ~# rm *.bin > ~# sefcontext_compile file_contexts > ~# sefcontext_compile file_contexts.homedirs > ~# sefcontext_compile file_contexts.local > > This isn't a good permanent solutino though, we need to find a way to either > rebuild the *.bin files when libpcre does an update, patch userland so it > ignores invalid *.bin files, remove *.bin files when libpcre updates, or > something else. Is it possible to do those steps in pkg_postinst in the libpcre ebuild? It wouldn't be that pretty but it seems like it should work if pcre is the only package that causes the problem. If the .bin files are not required then the safest would be to only rm *.bin and force a rebuild of the package to rebuild.
Let's ask ;) @base-system - one of SELinux' packages (selinux-base) compiles regular expressions into binary files for speed enhancements (which for gentoo don't give major benefit, but other distributions do). However, when libpcre is updated, it seems that this binary representation becomes invalid. The code doesn't like that, and segfaults. A workaround is to remove the binary compiled files when libpcre is updated, like in the pkg_postinst phase: if use selinux ; then rm -f /etc/selinux/*/contexts/files/file_contexts*.bin fi The SELinux userspace falls back to the non-compiled files then, and everything works. If we try to fix this elsewhere, we have the problem that /any/ package installation fails due to the segmentation fault. In the mean time I'm trying to figure out where the segfault occurs so the command can be caught and handled correctly...
I managed to get a proper backtrace after rebuilding enough things with debugging symbols. I have the core file, should I upload it here? I am not sure yet if the bug is in libpcre or libselinux. I need to look more, but in the mean time here is the backtrace. I have backed up the .bin files from the old and new pcre versions and can reliably trigger the segfault by running: # setfiles -vF /etc/selinux/strict/contexts/files/file_contexts /home/jason/.config/libvirt/qemu/lib/ setfiles reset /home/jason/.config/libvirt/qemu/lib/ context staff_u:object_r:xdg_config_home_t->root:object_r:user_home_dir_t Segmentation fault (core dumped) It is segfaulting on this file: # ls -alZ /home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock srwxr-xr-x. 1 jason users staff_u:object_r:xdg_config_home_t 0 Mar 11 16:18 /home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock= (gdb) bt #0 0x00000309ecc210b9 in match_ref (offset=64000, eptr=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", length=-1, md=0x3da93388c10, caseless=0) at /var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35/pcre_exec.c:169 #1 0x00000309ecc283d2 in match (eptr=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", ecode=0x309eda9cedc <Address 0x309eda9cedc out of bounds>, mstart=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", offset_top=0, md=0x3da93388c10, eptrb=0x0, rdepth=0) at /var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35/pcre_exec.c:2751 #2 0x00000309ecc3b848 in pcre_exec (argument_re=0x309eda9ce2a, extra_data=0x309ed92a440, subject=0x3da93388ee5 "/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", length=57, start_offset=0, options=0, offsets=0x0, offsetcount=0) at /var/tmp/portage/dev-libs/libpcre-8.35/work/pcre-8.35/pcre_exec.c:6941 #3 0x00000309ed66380d in lookup (rec=0x33370282f0, key=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", type=49645) at label_file.c:645 #4 0x00000309ed65e339 in selabel_lookup_common (rec=0x33370282f0, translating=0, key=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", type=49645) at label.c:218 #5 0x00000309ed65e49b in selabel_lookup_raw (rec=0x33370282f0, con=0x3da93388f70, key=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", type=49645) at label.c:251 #6 0x0000003334ad94fc in match (name=0x3da93388ee0 "/home/jason/.config/libvirt/qemu/lib/capabilities.monitor.sock", sb=0x333704c0f0, con=0x3da93388f70) at restore.c:101 #7 0x0000003334ad95e6 in restore (ftsent=0x333704c060, recurse=1) at restore.c:109 #8 0x0000003334ad9d55 in apply_spec (ftsent=0x333704c060, recurse=1) at restore.c:289 #9 0x0000003334ad9f6b in process_one (name=0x3337028c30 "/home/jason/.config/libvirt/qemu/lib/", recurse_this_path=1) at restore.c:349 #10 0x0000003334ada215 in process_one_realpath (name=0x3337028c30 "/home/jason/.config/libvirt/qemu/lib/", recurse=1) at restore.c:409 #11 0x0000003334ada139 in process_glob (name=0x3da9338a67a "/home/jason/.config/libvirt/qemu/lib/", recurse=1) at restore.c:388 #12 0x0000003334ad90a5 in main (argc=4, argv=0x3da9338a3b8) at setfiles.c:439
Checking with upstream @ http://marc.info/?l=selinux&m=140491890602694&w=2
Reassigning; going to split this bug and create a separate one for libpcre and base-system.
Created attachment 380502 [details, diff] upstream patch to include pcre version This patch provided by upstream adds in pcre version in the format. The patch can be tested by placing it in /etc/portage/patches/sys-libs/libselinux (as we has epatch_user in our ebuilds). It does require that the *.bin files are once removed, I would add that to the libselinux ebuilds' pre_inst.
After exploring many options, I've decided to do with the following... 1. sys-libs/libselinux-2.3-r1 will be made available, which contains the upstream patch, and which will also recompile the *.bin files in /etc/selinux/*/contexts/files in the pkg_postinst() phase so that the old format (which might trigger segfaults) is no longer available on the system. 2. Post a message to SELinux users (blog-post and wiki) that the *.bin files can be removed to work around the failure currently. I decided not to update libpcre to remove the *.bin files (which was an option) because libpcre is already stabilized for most architectures (so would need a revision bump and again stabilization period) and it is a work-around. For stable users, the issue is already there.
sys-libs/libselinux-2.3-r1 has been made available
libselinux-2.2.2-r5 has the same fix & workaround in it.
*** Bug 517284 has been marked as a duplicate of this bug. ***
Bug 517284 mentions that a pcre upgrade after libselinux-2.2.2-r5 was installed still gave breakage. I'll check if the sefcontext_compile in libselinux is or isn't performed as that *should* have prevented the failure...
Both 2.2.2-r5 and 2.3 have been stabilized.