Comments (7)
Thanks for the bug report. Did you open a bug on Red Hat's bugzilla too? If not, would recommend it.
We generally prefer that people raise issues on the mailing list as not everyone follows github; subscribe via selinux-join AT tycho.nsa.gov; you can always open an issue here and then post a summary to the list. I can reproduce with the upstream, but the most obvious fix would impose a non-trivial performance cost on setsebool, so will have to investigate further.
from selinux.
I din't open a bug in Red Hat's bugzilla because I'm using CentOS and don't known their policy on this.
I'll repost to that list with a link to this issue.
from selinux.
Well, it is reproducible on Fedora, and they take bugs against Fedora certainly.
from selinux.
Ok, I guess I can spin up a Fedora VM quickly enough. :)
from selinux.
BTW, the root cause seems to be commit e5aaa01 (mea culpa), which was an attempt to optimize setting booleans by not re-linking modules in that case. The problem though is that it seems the existing linked policy already includes the local customizations (e.g. your port addition) and then we end up adding it again to the final policy. Not sure yet if that was always a problem since that commit or if it got brought it when CIL was merged.
from selinux.
Red Hat Bugzilla issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1439875
from selinux.
Commit b61922f resolves this in the simplest way possible, i.e. reverting the breaking change, but results in a significant slowdown and memory overhead for setsebool -P. A follow-on patch has been posted to the list that should restore the optimization without yielding this incorrect behavior.
from selinux.
Related Issues (20)
- semanage_get_lock fails on NFSv4 filesystems HOT 1
- Python 3.11 support HOT 4
- manual setting HOT 2
- bad gpg signature HOT 4
- checkpolicy compilation error HOT 4
- selinux_restorecon.c comparison between signed and unsigned integer expressions
- Scope of boolean 'httpd_can_network_connect' & Django SELinux permissions
- libsepol:The libsepol package detects memory leaks and segmentation errors when tested by OSS-fuzz. HOT 4
- How Do I Select a Proper Number of Threads for Labeling? HOT 2
- Can use macro parameter for filecon path statment? HOT 1
- restore.c:(.text+0x229): undefined reference to `selinux_restorecon_parallel' HOT 1
- selinux-activate not working on RaspbianOS bullseye (version 11) HOT 1
- "semanage export" does not handle port definition modifications properly
- libselinux: off-by-one in setcon() family
- Question Regarding "semanage boolean": HOT 5
- Non-cached is_selinux_enabled() variant? HOT 1
- selinux 3.6 fails to compile against latest versions of musl HOT 1
- libselinux: selabel_digest -b x/media/db error HOT 1
- libsepol: new "all" op verifier in 3.6 does not check classcommon perms HOT 3
- Should ignoredirs apply to all subdirectories? HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from selinux.