Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1502009

Summary: file_contexts.bin: line 1 error due to: Non-ASCII characters found
Product: [Fedora] Fedora Reporter: Ralf Corsepius <rc040203>
Component: selinux-policy-targetedAssignee: Lukas Vrabec <lvrabec>
Status: CLOSED ERRATA QA Contact: Ben Levenson <benl>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 27CC: awilliam, crobinso, dwalsh, hdegoede, jstodola, pbrobinson, plautrba, valdis.kletnieks
Target Milestone: ---Keywords: CommonBugs
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: https://fedoraproject.org/wiki/Common_F27_bugs#selinux-non-ascii
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-28 23:54:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 467765, 1071880, 1378351    

Description Ralf Corsepius 2017-10-13 17:27:13 UTC 
Description of problem:

During a "dnf install" on a just installed fc27 I encountered this:

# dnf install <somepackage>
Last metadata expiration check: 0:04:38 ago on Fri 13 Oct 2017 07:17:42 PM CEST.
...
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
/etc/selinux/targeted/contexts/files/file_contexts.bin:  line 1 error due to: Non-ASCII characters found
/etc/selinux/targeted/contexts/files/file_contexts.homedirs.bin:  line 1 error due to: Non-ASCII characters found
...

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.13.1-283.10.fc27.noarch
Comment 1 Adam Williamson 2017-10-16 21:31:06 UTC 
This isn't new, I don't think, I was seeing it a while ago. Didn't get around to reporting it yet, but I don't think it's a reason to -1 the update.
Comment 2 Ralf Corsepius 2017-10-17 04:07:26 UTC 
(In reply to Adam Williamson from comment #1)
> This isn't new, I don't think, I was seeing it a while ago.
I was seeing it upon the 1st update of a brand new fc27 _install_ (Not update) on a brand new machine.

> Didn't get
> around to reporting it yet, but I don't think it's a reason to -1 the update.
What else if not seeing an error in an update of brand new install is a reason to -1 an update, in your opinon? 

After testing FC27 on several machines, I know SElinux in FC27 very bugged and broken with this incident likely being one detail contributing to it.
Comment 3 Adam Williamson 2017-10-17 16:10:25 UTC 
"What else if not seeing an error in an update of brand new install is a reason to -1 an update, in your opinon?"

The thing is, I don't think the bug is in the update. It happens on updates that don't involve SELinux packages at all; it's happening, I think, as a consequence of some other operation that occurs during update / install of some other packages, possibly a scriptlet, possibly a trigger.

That's why I said it doesn't make sense to -1 the update, as I don't think the update to selinux-policy is actually the cause.

I've found five other reports of the same error, now I went and looked:

https://bugzilla.redhat.com/show_bug.cgi?id=1386180 (that one seems ppc64-specific)
https://bugzilla.redhat.com/show_bug.cgi?id=1394042 (has a plausible-sounding diagnosis)
https://bugzilla.redhat.com/show_bug.cgi?id=1364173 (involves local customization)
https://bugzilla.redhat.com/show_bug.cgi?id=1499883 (suggests it happens on useradd, which would explain why it happens with some package scriptlets)
https://bugzilla.redhat.com/show_bug.cgi?id=1393651

None of those relates to this update. This should probably be made a dupe of one of them.
Comment 4 Lukas Vrabec 2017-10-19 12:28:28 UTC 
*** Bug 1386180 has been marked as a duplicate of this bug. ***
Comment 5 Lukas Vrabec 2017-10-19 12:28:34 UTC 
*** Bug 1394042 has been marked as a duplicate of this bug. ***
Comment 6 Petr Lautrbach 2017-10-19 15:22:51 UTC 
file_contexts.bin file is regenerated by sefcontext_compile utility every time policy is rebuilt, e.g. during update, after semodule -B, ... and this file contains pre compiled pcre regexes from file_contexts.

libselinux tries to open and read /etc/selinux/targeted/contexts/files/file_contexts.bin and when there's an error, it tries to open and read /etc/selinux/targeted/contexts/files/file_contexts.

So the error message has no real impact on functionality.

The reason why you can see usually on a fresh system and on live images is that file_contexts.bin is being generated during build. But while selinux-policy is noarch, compiled regexes in file_contexts.bin are architecture dependent. And when a build occurs on an architecture with different endianness the problem appears.

We're planning to drop .bin files from selinux-policy completely. Originally we added them when there were bugs in libselinux which prevented Anaconda and Atomic systems to work without such files. It's probably not the case anymore.

For Fedora 26 it would have a small performance impact on Live and Atomic systems. On Fedora 27, there's already an investigation [1] which says that .bin files doesn't improve performance when used with PCRE2 and SELinux userspace release 2.7.

[1]  https://janzarskyblog.wordpress.com/2017/09/06/why-we-dont-need-to-ship-file_contexts-bin-with-selinux-policy/
Comment 7 Hans de Goede 2017-11-06 15:26:04 UTC 
Hi,

Not shipping pre-built arch dependent .bin files in a noarch pkgs sounds like a good solution to me. But in the mean anyone doing almost anything selinux related from the cmdline is still getting these ugly errors, so can you please drop the .bin files in the next policy update ?

Regards,

Hans
Comment 8 Lukas Vrabec 2017-11-07 09:18:25 UTC 
We have this in Fedora Rawhide already and back ported to the F27. This change will be part of the next selinux-policy update.
Comment 9 Adam Williamson 2017-11-07 18:48:16 UTC 
Marking CommonBugs, we should document this for OOTB F27 users.
Comment 10 Fedora Update System 2017-11-22 08:56:23 UTC 
selinux-policy-3.13.1-283.17.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Comment 11 Fedora Update System 2017-11-22 21:41:58 UTC 
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-d05b1a2ab9
Comment 12 Fedora Update System 2017-11-28 23:54:24 UTC 
selinux-policy-3.13.1-283.17.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.