Bug 865236

Summary: Semanage command fails with "Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK"
Product: Red Hat Enterprise Linux 6 Reporter: Sankar Ramalingam <sramling>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.4CC: dwalsh, mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-12 02:55:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sankar Ramalingam 2012-10-11 04:08:07 UTC 
Description of problem: When trying to label two different ports simultaneously, semanage fails with "Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK" error.

Version-Release number of selected component (if applicable): Latest RHEL64 nightly builds.

How reproducible: Consistent with RHEL64 nightly builds.

Steps to Reproduce:
1. Create a new RHEL64 virtual machine or upgrade the existing RHEL63 to latest RHEL64. 
Repo - http://download.idm.lab.bos.redhat.com/nightly/latest-RHEL6.4/6.4/Server/x86_64/
2. Set selinux to "Enforcing" mode.
3. Open two terminals run semanage command simultaneously.

semanage port -a -t ldap_port_t -p tcp 13589
semanage port -a -t ldap_port_t -p tcp 13989

Actual results:

 semanage port -a -t ldap_port_t -p tcp 13989
libsemanage.semanage_get_lock: Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable).
/usr/sbin/semanage: Could not start semanage transaction

Expected results:
semanage should support labelling of more than one ports simultaneously.

Additional info:

Looks like this limitation is introduced recently. I started encountering this issue from 09/27 nightly build.
Comment 2 Sankar Ramalingam 2012-10-11 04:39:20 UTC 
Changing the component from "Selinux-policy" to "Policycoreutils"
Comment 3 Milos Malik 2012-10-11 07:34:03 UTC 
# rpm -qa policycoreutils\*
policycoreutils-2.0.83-19.25.el6.x86_64
policycoreutils-python-2.0.83-19.25.el6.x86_64
#

First terminal:
# semanage port -a -t ldap_port_t -p tcp 13989
#

Second terminal:
# semanage port -a -t ldap_port_t -p tcp 13589
libsemanage.semanage_get_lock: Could not get direct transaction lock at /etc/selinux/targeted/modules/semanage.trans.LOCK. (Resource temporarily unavailable).
/usr/sbin/semanage: Could not start semanage transaction
#
Comment 4 Daniel Walsh 2012-10-12 02:55:43 UTC 
Did you run these commands simultaniously?  Since the goal of this lock is to make sure two commands do not happen at the same time.

http://danwalsh.livejournal.com/41593.html

semanage -S targeted -i - << _EOF
port -a -t ldap_port_t -p tcp 13989
port -a -t ldap_port_t -p tcp 13589
_EOF