Bug 1609488 - semanage fcontext should not fail when adding the same entry
Summary: semanage fcontext should not fail when adding the same entry
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: policycoreutils
Version: 27
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-07-28 12:48 UTC by Lukas Slebodnik
Modified: 2020-12-06 06:54 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-08-02 07:18:09 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Lukas Slebodnik 2018-07-28 12:48:40 UTC
Description of problem:
semanage fcontext fails when adding the same entry twice.
I would expect more idempotent behaviour and failure only in case of conflicting types.

Version-Release number of selected component (if applicable):
sh$ rpm -qf /usr/sbin/semanage
policycoreutils-python-utils-2.7-6.fc27.noarch

How reproducible:
Deterministic

Steps to Reproduce:
1. dnf install -y policycoreutils-python-utils
2. semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
3. semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'

Actual results:
sh# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
sh# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
ValueError: File context for /var/www/app\.cgi already defined

Expected results:
sh# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
sh# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
sh# echo $?
0

Additional info:
It is not a problem with
sh$ rpm -qf /usr/sbin/semanage
policycoreutils-python-2.5-24.el7.x86_64

Comment 1 Petr Lautrbach 2018-07-31 11:49:15 UTC
This is correct behaviour. If you need to modify some entry you added before, use -m,--modify:

# semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
# semanage fcontext -m -t httpd_sys_script_exec_t '/var/www/app\.cgi'

Comment 2 Lukas Slebodnik 2018-08-01 07:25:22 UTC
(In reply to Petr Lautrbach from comment #1)
> This is correct behaviour. If you need to modify some entry you added
> before, use -m,--modify:
> 
> # semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
> # semanage fcontext -m -t httpd_sys_script_exec_t '/var/www/app\.cgi'

That is not my use-case. I do not want to modify anything.

sh# semanage fcontext -d -t httpd_sys_script_exec_t '/var/www/app\.cgi'
sh# semanage fcontext -m -t httpd_sys_script_exec_t '/var/www/app\.cgi'
ValueError: File context for /var/www/app\.cgi is not defined


I want to have just fcontext there with right parametrs. (and fail only if there is different conflicting context. I would expect more idempotent behaviour.
Or do you have semanage module for configure management tool (ansible, puppet ...)

Comment 3 Lukas Slebodnik 2018-08-01 07:36:08 UTC
(In reply to Lukas Slebodnik from comment #2)
> (In reply to Petr Lautrbach from comment #1)
> > This is correct behaviour. If you need to modify some entry you added
> > before, use -m,--modify:
> > 
> > # semanage fcontext -a -t httpd_sys_script_exec_t '/var/www/app\.cgi'
> > # semanage fcontext -m -t httpd_sys_script_exec_t '/var/www/app\.cgi'
> 
> That is not my use-case. I do not want to modify anything.
> 

But if modify will be idempotent (it will add entry in case of non existing one
then I will be glad to use it.

> sh# semanage fcontext -d -t httpd_sys_script_exec_t '/var/www/app\.cgi'
> sh# semanage fcontext -m -t httpd_sys_script_exec_t '/var/www/app\.cgi'
> ValueError: File context for /var/www/app\.cgi is not defined
> 
> 
> I want to have just fcontext there with right parametrs. (and fail only if
> there is different conflicting context. I would expect more idempotent
> behaviour.
> Or do you have semanage module for configure management tool (ansible,
> puppet ...)

Comment 4 Petr Lautrbach 2018-08-02 07:18:09 UTC
'semanage fcontext [-a|-m]' works with local policy modifications. You can list these modifications using:

# semanage fcontext -l -C        

or you can extract them:

# semanage fcontext -E

The output of the command above can be used as an  input for 'semanage import' later.


If you need add a new file context mapping which is not defined in local modifications yet, you need to use -a, --add:

# semanage fcontext -a -t httpd_sys_script_exec_t '/opt/.*\.cgi'

When you try add this again, it fails since it's already defined and you need to use -m, --modify:

# semanage fcontext -a -t httpd_sys_script_exec_t '/opt/.*\.cgi'
ValueError: File context for /opt/.*\.cgi already defined

# semanage fcontext -m -t httpd_sys_script_exec_t '/opt/.*\.cgi'

You can also use -D option to delete all local modifications before you add a new one:

# semanage fcontext -D

# semanage fcontext -a -t httpd_sys_script_exec_t '/opt/.*\.cgi'


If you need to manage local SELinux policy setting you can try linux-system-roles.selinux Ansible role - https://github.com/linux-system-roles/selinux

Comment 5 Daniel Farina 2020-12-06 06:54:01 UTC
I think an idempotent option (or default behaviour, since duplicates
don't make sense) would be an improvement. I wind up using a `||` in
the shell with the same code written twice, one with "-a" and one with
"-m". Obviously it's brittle if only one copy is changed, or I have to
add abstraction to avoid that that is not always worth the trouble,
but the status quo is not graceful.


Note You need to log in before you can comment on or make changes to this bug.