when accidently trying to install ds with a port labeled already labeled as kubernetes_port_t the installation script spends a lot of time in repeating semanage (60 retries) and then the server started and failed to bind to the port.
The retry count has been reduced in a recent fix, but retrying makes no sense if it is known to fail again. Also the error message should be logged not only in debug mode
Maybe when the port is specified a semanage -l could be run to see if the port can be labeled
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1280456
The problem here is that semanage port has types like this:
{{{ unreserved_port_t tcp 1024-32767, 61001-65535 ups_port_t tcp 3493 us_cli_port_t tcp 8082, 8083 }}}
So we need to be able to understand ranges, and pattern match out whole integers too in a call to semanage port. Not the easiest task.
I think that a library like python semanage is a bit better, as you can do something like this:
{{{
import semanage h = semanage.semanage_handle_create() semanage.semanage_connect(h) (r, k) = semanage.semanage_port_key_create(h, 61389, 61389, semanage.SEMANAGE_PROTO_TCP) semanage.semanage_port_exists_local(h, k) [4, 0] }}}
The tuple 4, 0, where 0 means "port is attached to some port type" (I think).
If it wasn't attached, You get a None here. The api is a bit rough and undocumented, but still works.
So maybe we need to make a submission to selinux to allow query of a single port number to "semanage port" to see what it is owned by? Or we can make a small python helper? Or we can say it's a hard problem, and rely on documentation?
attachment 0001-Ticket-48336-setup-ds-should-detect-if-port-is-alrea.patch
new file ldap/admin/src/scripts/ds_selinux_enabled.in There is selinuxenabled which is part of libselinux-utils: {{{ NAME selinuxenabled - tool to be used within shell scripts to determine if selinux is enabled
SYNOPSIS selinuxenabled
DESCRIPTION Indicates whether SELinux is enabled or disabled.
EXIT STATUS It exits with status 0 if SELinux is enabled and 1 if it is not enabled. }}}
Also, how asan changes are related to selinux port detection? Shouldn't they be in a separate patch? Thanks!
Replying to [comment:7 vashirov]:
Also, how asan changes are related to selinux port detection? Shouldn't they be in a separate patch? +1 :)
My comments...
'''1) Missing copyrights?''' new file ldap/admin/src/scripts/ds_selinux_port_query.in new file ldap/admin/src/scripts/ds_selinux_enabled.in
'''2) It'd be useful to introduce @pythonexec@ for /usr/bin/python2 which would make switching to python3 easier?''' {{{ 1 #!/usr/bin/python2 }}} Please see also @perlexec@ in Makefile.am and configure.ac
'''3) In sub updateSelinuxPolicy, since $mydevnull is declared, '/dev/null' is supposed to be replaced with $mydevnull?''' {{{ a b sub updateSelinuxPolicy { my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); 1043 my $port_query_cmd = ("$inf->{slapd}->{sbindir}/ds_selinux_port_query $inf->{slapd}->{ServerPort} ldap_port_t 2> /dev/null"); 1499 my $port_query_cmd = ("@sbindir@/ds_selinux_port_query $secureport ldap_port_t 2> /dev/null"); }}} '''4) Wondering the check with 512 at the line 1052 is valid?''' {{{ 1052 if ($result == 512) { }}} I see 512 is returned here, but the line 1052 is not checking for this syntax error...? {{{ 16 if len(sys.argv) <= 1: 17 sys.stderr.write("Must provide port to query\n") 18 sys.exit(512) }}}
Replying to [comment:8 nhosoi]:
Replying to [comment:7 vashirov]: Also, how asan changes are related to selinux port detection? Shouldn't they be in a separate patch? +1 :)
That's because we (stupidly) commit complete configure and autotools scripts. So every time I build locally with some different setting it wants to change half these files. So it's not meant to be there, I forgot and typed "git commit -a" which meant that I added them all ....
When I commit next, the changes won't be in there.
My comments... '''1) Missing copyrights?''' new file ldap/admin/src/scripts/ds_selinux_port_query.in new file ldap/admin/src/scripts/ds_selinux_enabled.in
I will fix this.
Ahhh yes, that's an awesome idea. I'll do that.
'''3) In sub updateSelinuxPolicy, since $mydevnull is declared, '/dev/null' is supposed to be replaced with $mydevnull?''' {{{ a b sub updateSelinuxPolicy { my $mydevnull = (-c "/dev/null" ? " /dev/null " : " NUL "); 1043 my $port_query_cmd = ("$inf->{slapd}->{sbindir}/ds_selinux_port_query $inf->{slapd}->{ServerPort} ldap_port_t 2> /dev/null"); 1499 my $port_query_cmd = ("@sbindir@/ds_selinux_port_query $secureport ldap_port_t 2> /dev/null"); }}}
Yep, I'll do that too.
'''4) Wondering the check with 512 at the line 1052 is valid?''' {{{ 1052 if ($result == 512) { }}}
Perl exit codes are bit shifted, so result 512 is actually exit 2. So the syntax error will be 512 shifted. But I should check for this too.
I see 512 is returned here, but the line 1052 is not checking for this syntax error...? {{{ 16 if len(sys.argv) <= 1: 17 sys.stderr.write("Must provide port to query\n") 18 sys.exit(512) }}}
Changes baseg on feedback. 0001-Ticket-48336-setup-ds-should-detect-if-port-is-alrea.2.patch
new file ldap/admin/src/scripts/ds_selinux_enabled.in There is selinuxenabled which is part of libselinux-utils:
Yes: In the future though, I plan to remove all the shelling out to scripts for this, and just use library calls. That's why I used the wrapper, so that I can assimilate it into the setup-ds later on.
Also, how asan changes are related to selinux port detection? Shouldn't they be in a separate patch?
See next other comment.
The second patch 0001-Ticket-48336-setup-ds-should-detect-if-port-is-alrea.2.patch​ looks good to me. Ack'ed.
commit 8269288 Writing objects: 100% (11/11), 3.22 KiB | 0 bytes/s, done. Total 11 (delta 8), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git a441a58..8269288 master -> master
On F24 I get this during the instance installation: {{{ ... Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Traceback (most recent call last): File "/usr/sbin/ds_selinux_enabled", line 17, in <module> import semanage ImportError: No module named semanage Your new DS instance 'qeos-237' was successfully created. Exiting . . . Log file is '/tmp/setupdrxEL5.log' }}} /usr/sbin/ds_selinux_enabled uses python2, but we do not depend on libsemanage-python, instead libsemanage-python3 is installed. So this is why I proposed to use selinuxenabled from libselinux-utils.
/usr/sbin/ds_selinux_enabled
selinuxenabled
You can do conditional imports in python: {{{ try: import semanage except ImportError: import libsemanage as semanage # or whatever it is }}} Then you can use semanage no matter where it comes from, assuming it has the same methods.
If the two different selinux libraries have different functions with different signatures, then you'll have to create wrapper functions.
attachment 0001-Ticket-48336-Missing-semanage-dependency.patch
The issue is the lack of the dependency in the rpm.
I am trying to push that we use the python tools, so that we as a team gain the experience around their interaction as we start to move more of our code towards them. There are many things that the selinux command line is incapable of doing, such as port querying and manipulation in the fine grained way we need. This is why I am pursuing this path, rather than using the libselinux-utils tools.
I hope the patch resolves the issue.
commit 0e4a9a6 Writing objects: 100% (4/4), 710 bytes | 0 bytes/s, done. Total 4 (delta 3), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/ds.git 0687694..0e4a9a6 master -> master
Thanks Mark!
I have installed 389 on fedora25 and can see this error message :: Directory Manager DN [cn=Directory Manager]: Password: Password (confirm): Traceback (most recent call last): File "/usr/sbin/ds_selinux_enabled", line 16, in <module> import selinux ImportError: No module named selinux Your new DS instance 'mgmt8' was successfully created. Exiting . . . Log file is '/tmp/setuppMauDS.log'
[root@mgmt8 ~]# cat /etc/redhat-release Fedora release 25 (Twenty Five) [root@mgmt8 ~]#
This error does not come if I do dnf install libselinux-python It seems this is fixed in higher version of 389, should we back-port the fix?
Thanks, Amita
Looking at confgure.ac: {{{ AC_MSG_CHECKING(for --with-pythonexec) AC_ARG_WITH([pythonexec], AS_HELP_STRING([--with-pythonexec=PATH], [Path to executable for python)]) ) if test -n "$with_pythonexec"; then if test "$with_pythonexec" = yes ; then AC_MSG_ERROR([You must specify --with-pythonexec=/full/path/to/python]) elif test "$with_pythonexec" = no ; then with_pythonexec=/usr/bin/python2 else AC_MSG_RESULT([$with_pythonexec]) fi else with_pythonexec=/usr/bin/python2 fi }}} by default it uses python2. But on Fedora we don't specify --with-pythonexec=/usr/bin/python3 in spec file. So we should do either that or specify dependency for python2 version of libselinux-python until we completely switch to python3.
--with-pythonexec=/usr/bin/python3
Have we missed the libselinux dependency in the rpm specfile perhaps?
Replying to [comment:21 firstyear]:
Have we missed the libselinux dependency in the rpm specfile perhaps? This. And dependency hell in python2 and python3 packages: On fresh F25 (F24 has the same issue, btw) system: {{{ [root@qeos-206 ~]# rpm -qa | grep libselinux-python -c 0 [root@qeos-206 ~]# dnf install libsemanage-python3 Last metadata expiration check: 0:46:27 ago on Wed Nov 23 21:27:29 2016. Dependencies resolved. ========================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================= Installing: libselinux-python3 x86_64 2.5-12.fc25 fedora 239 k libsemanage-python3 x86_64 2.5-8.fc25 fedora 111 k
Install 2 Packages
Total download size: 351 k Installed size: 1.0 M Is this ok [y/N]: n Operation aborted. }}} But python2 version doesn't pull libselinux-python: {{{ [root@qeos-206 ~]# dnf install libsemanage-python Last metadata expiration check: 0:46:59 ago on Wed Nov 23 21:27:29 2016. Dependencies resolved. ========================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================= Installing: libsemanage-python x86_64 2.5-8.fc25 fedora 108 k
Install 1 Package
Total download size: 108 k Installed size: 369 k Is this ok [y/N]: n Operation aborted. }}}
So when we install 389-ds-base, libsemanage-python is installed for both python2 and python3, but because of different dependencies only python3 version pulls libselinux-python3: {{{ [root@qeos-206 ~]# dnf install 389-ds-base Last metadata expiration check: 0:50:33 ago on Wed Nov 23 21:27:29 2016. Dependencies resolved. ========================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================= Installing: 389-ds-base x86_64 1.3.5.15-1.fc25 updates 1.7 M 389-ds-base-libs x86_64 1.3.5.15-1.fc25 updates 677 k audit-libs-python3 x86_64 2.6.7-1.fc25 fedora 76 k bind-libs x86_64 32:9.10.4-2.P4.fc25 updates 151 k bind-libs-lite x86_64 32:9.10.4-2.P4.fc25 updates 1.0 M bind-license noarch 32:9.10.4-2.P4.fc25 updates 89 k bind-utils x86_64 32:9.10.4-2.P4.fc25 updates 407 k checkpolicy x86_64 2.5-8.fc25 fedora 297 k cyrus-sasl-gssapi x86_64 2.1.26-26.2.fc24 fedora 46 k cyrus-sasl-md5 x86_64 2.1.26-26.2.fc24 fedora 62 k libcgroup x86_64 0.41-9.fc25 fedora 67 k libselinux-python3 x86_64 2.5-12.fc25 fedora 239 k libsemanage-python x86_64 2.5-8.fc25 fedora 108 k libsemanage-python3 x86_64 2.5-8.fc25 fedora 111 k openldap-clients x86_64 2.4.44-2.fc25 fedora 190 k perl-Algorithm-Diff noarch 1.1903-5.fc25 fedora 51 k perl-Archive-Tar noarch 2.16-1.fc25 updates 76 k perl-DB_File x86_64 1.838-2.fc25 fedora 79 k perl-IO-Zlib noarch 1:1.10-379.fc25 updates 69 k perl-Mozilla-LDAP x86_64 1.5.3-19.fc25 fedora 148 k perl-NetAddr-IP x86_64 4.079-2.fc25 fedora 130 k perl-Socket6 x86_64 0.28-1.fc25 fedora 34 k perl-Text-Diff noarch 1.44-2.fc25 fedora 44 k policycoreutils-python-utils x86_64 2.5-17.fc25 fedora 217 k policycoreutils-python3 x86_64 2.5-17.fc25 fedora 1.8 M python-IPy-python3 noarch 0.81-16.fc25 fedora 43 k setools-libs x86_64 3.3.8-12.fc25 fedora 560 k svrcore x86_64 4.1.2-1.fc25 fedora 23 k
Install 28 Packages
Total download size: 8.5 M Installed size: 21 M Is this ok [y/N]: }}}
Metadata Update from @vashirov: - Issue assigned to firstyear - Issue set to the milestone: 1.3.5.5
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/1667
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: Fixed)
Login to comment on this ticket.