Bash command completion setup is done during login process. If a command
is not available, but it is tried to be run, there is then inconvenient
error messages at each login.
With:
Fedora 41
openvswitch-3.4.0-2.fc41.x86_64
selinux-policy-targeted-0:41.28-1.fc41.noarch
/usr/bin/ovs-vsctl has fcontext:
-rwxr-xr-x. 1 root root system_u:object_r:openvswitch_exec_t:s0 91120 27. 8.
03:00 /usr/bin/ovs-vsctl
And if openvswitch_exec_t is not allowed, then during login there is
these error messages:
bash: ovs-vsctl: command not found
bash: ovs-vsctl: command not found
This happens for example when user is configured as SELinux confined
user_t. And then these privileged commands are not available at all.
$ ls -laZ /usr/bin/ovs-vsctl
ls: cannot access '/usr/bin/ovs-vsctl': Permission denied
This selected method seems not to change external posture, as some other
task could use envs: _OVS_VSCTL_COMMANDS and _OVS_VSCTL_OPTIONS.
To test this you need to have a host with SELinux set to Enforced and
then configure a login user as confined, and then do the login as user.
Also you need also user to run ovs-vsctl, usually root and validate
that environment does not change.
Other possibilities
-------------------
One possibility is to direct output of ovs-vsctl to /dev/null. But I
avoided this because it could hide other issues.
Another possibility is to set _ovs_vsctl based on availability of
ovs-vsctl, and if not, then set is as empty function. Defining functions
based on environment can be confusing.
Last possibility I considered was to guard the whole file with
availability test. It kind of causes issues with indentation.
Markus Linnala (1):
utilities/bashcomp: Do not run ovs-vsctl when not possible
utilities/ovs-vsctl-bashcomp.bash | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--
2.48.1
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
