Setting booleans causes duplicate ports in semanage listings about selinux HOT 7 CLOSED

Thanks for the bug report. Did you open a bug on Red Hat's bugzilla too? If not, would recommend it.
We generally prefer that people raise issues on the mailing list as not everyone follows github; subscribe via selinux-join AT tycho.nsa.gov; you can always open an issue here and then post a summary to the list. I can reproduce with the upstream, but the most obvious fix would impose a non-trivial performance cost on setsebool, so will have to investigate further.

from selinux.

I din't open a bug in Red Hat's bugzilla because I'm using CentOS and don't known their policy on this.

I'll repost to that list with a link to this issue.

from selinux.

Well, it is reproducible on Fedora, and they take bugs against Fedora certainly.

from selinux.

Ok, I guess I can spin up a Fedora VM quickly enough. :)

from selinux.

BTW, the root cause seems to be commit e5aaa01 (mea culpa), which was an attempt to optimize setting booleans by not re-linking modules in that case. The problem though is that it seems the existing linked policy already includes the local customizations (e.g. your port addition) and then we end up adding it again to the final policy. Not sure yet if that was always a problem since that commit or if it got brought it when CIL was merged.

from selinux.

Red Hat Bugzilla issue here: https://bugzilla.redhat.com/show_bug.cgi?id=1439875

from selinux.

Commit b61922f resolves this in the simplest way possible, i.e. reverting the breaking change, but results in a significant slowdown and memory overhead for setsebool -P. A follow-on patch has been posted to the list that should restore the optimization without yielding this incorrect behavior.

from selinux.