G_REGEX_OPTIMIZE invokes PCRE's JIT optimizer for regexes which requires
writable executable memory. This clashes with the 'execmem' SELinux
permission which we don't really want to grant to any of the virt
daemons.

Since all uses of G_REGEX_OPTIMIZE are on code paths unlikely to hit the
~3x performance penalty of using interpeted evaluation of the regex
rather than the JIT'd one we can simply remove the optimization from the
rest of the calls. (Only 3 of 10 used it).

Patch 2 is optional; selinux can simply ban 'execmem' and mark it as
'dontaudit'. glib will fall back to the interpreter.

The patches are based on a discussion which I've summarized in:
https://redhat.atlassian.net/browse/RHEL-44901

Peter Krempa (2):
  syntax-check: Add warning about implications of G_REGEX_OPTIMIZE
  Avoid use of glib's G_REGEX_OPTIMIZE flag

 build-aux/syntax-check.mk | 13 +++++++++++++
 src/conf/domain_event.c   |  2 +-
 src/util/vircommand.c     |  2 +-
 src/util/virlog.c         |  2 +-
 4 files changed, 16 insertions(+), 3 deletions(-)

-- 
2.54.0

On a Monday in 2026, Peter Krempa via Devel wrote:
>G_REGEX_OPTIMIZE invokes PCRE's JIT optimizer for regexes which requires
>writable executable memory. This clashes with the 'execmem' SELinux
>permission which we don't really want to grant to any of the virt
>daemons.
>
>Since all uses of G_REGEX_OPTIMIZE are on code paths unlikely to hit the
>~3x performance penalty of using interpeted evaluation of the regex
>rather than the JIT'd one we can simply remove the optimization from the
>rest of the calls. (Only 3 of 10 used it).
>
>Patch 2 is optional; selinux can simply ban 'execmem' and mark it as
>'dontaudit'. glib will fall back to the interpreter.
>
>The patches are based on a discussion which I've summarized in:
>https://redhat.atlassian.net/browse/RHEL-44901
>
>Peter Krempa (2):
>  syntax-check: Add warning about implications of G_REGEX_OPTIMIZE
>  Avoid use of glib's G_REGEX_OPTIMIZE flag
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano