Bug 489922 - semanage could have a switch not to complain when port value is already set
Summary: semanage could have a switch not to complain when port value is already set
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: policycoreutils
Version: 5.3
Hardware: All
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks: 530353
TreeView+ depends on / blocked
 
Reported: 2009-03-12 15:17 UTC by Jan Pazdziora
Modified: 2011-05-17 07:01 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 530353 (view as bug list)
Environment:
Last Closed: 2009-12-18 18:56:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Jan Pazdziora 2009-03-12 15:17:15 UTC
Description of problem:

If you run for example

/usr/sbin/semanage port -a -t jabber_interserver_port_t -p tcp 5347

semanage will complain

/usr/sbin/semanage: Port tcp/5347 already defined

on stderr if that value is already defined. But if I run /usr/sbin/semanage port -a, I just want the port value to be set and I do not really care that it's been already there. If it was, even better, no work to be done.

Thus, /usr/sbin/semanage could use a switch to silence that error message.

Alternatively, /usr/sbin/semanage could be made silent by default and have a switch to turn the error message on.

Version-Release number of selected component (if applicable):

# rpm -qf /usr/sbin/semanage
policycoreutils-1.33.12-14.2.el5

How reproducible:

Deterministic.

Steps to Reproduce:
1. Run /usr/sbin/semanage port -a -t jabber_interserver_port_t -p tcp 5347 or similar command.
2. Run /usr/sbin/semanage port -a -t jabber_interserver_port_t -p tcp 5347 again.
  
Actual results:

/usr/sbin/semanage: Port tcp/5347 already defined
and no way to silence this error down. I tried using grep -v but I get

type=AVC msg=audit(1235487991.186:887): avc:  denied  { write } for  pid=19471 comm="setfiles" path="pipe:[103953]" dev=pipefs ino=103953 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=fifo_file
type=AVC msg=audit(1235487991.186:887): avc:  denied  { write } for  pid=19471 comm="setfiles" path="pipe:[103953]" dev=pipefs ino=103953 scontext=root:system_r:setfiles_t:s0-s0:c0.c1023 tcontext=root:system_r:rpm_script_t:s0-s0:c0.c1023 tclass=fifo_file

when I do that in rpm's %post.

Expected results:

Have an easy way of turning that error message off.

Additional info:

Comment 1 Daniel Walsh 2009-03-24 14:48:30 UTC
I want to move this to 5.5 since we don't have this in Rawhide yet and it.

Comment 3 Daniel Walsh 2009-10-28 12:59:05 UTC
Why not just add the following to your script.

/usr/sbin/semanage port -l | grep ^jabber_interserver_port_t.*tcp.*5347 > /dev/null
if [ $? .ne 0 ]; then
 /usr/sbin/semanage port -a -t jabber_interserver_port_t -p tcp 5347
fi

Comment 4 Jan Pazdziora 2009-10-28 15:52:39 UTC
Oh, I could definitely do that. I just felt that if semanage was able to do it directly, it would decrease race condition when the value is deleted between those two semanage invocations, plus the scripts calling semanage might be a bit simpler (one line instead of cca four).

So it's just about making it easier for callers, not adding functionality which would not be available otherwise.


Note You need to log in before you can comment on or make changes to this bug.