What were you trying to do that didn't work?

semanage commands with a / located on NFSv4

What is the impact of this issue to you?

semanage commands unusable

Please provide the package NVR for which the bug is seen:

policycoreutils-3.7-3.el10.noarch

How reproducible is this bug?:

always

Steps to reproduce

1. Use a NVSv4 mount as root or just /var/lib/selinux/targeted/
2. 192.168.122.155:/rear/targeted on /var/lib/selinux/targeted type nfs4 (rw,relatime,seclabel,vers=4.2,rsize=524288,wsize=524288,namlen=255,hard,proto=tcp,timeo=600,retrans=2,sec=sys,clientaddr=192.168.122.65,loc
   al_lock=none,addr=192.168.122.155)

1. #  semanage fcontext -a -e /home  /tmp/testdir

libsemanage.semanage_get_lock: Error obtaining direct transaction lock at /var/lib/selinux/targeted/semanage.trans.LOCK. (Bad file descriptor).
OSError: Bad file descriptor

Expected results

semanage command is usable without errors

Actual results

semanage command fails with a lock error

This is due to this part:

libsemanage/src/semanage_store.c
int semanage_install_sandbox(semanage_handle_t * sh)
...
       if ((fd = open(lock_file, O_RDONLY)) == -1) { 
               if ((fd = 
                    open(lock_file, O_RDWR | O_CREAT | O_TRUNC, 
                         S_IRUSR | S_IWUSR)) == -1) { 
                       ERR(sh, "Could not open direct %s at %s.", lock_name, 
                           lock_file); 
                       return -1; 
               } 
       }

Then flock fails:

     if (flock(fd, LOCK_EX | LOCK_NB) == 0) {

The open must be done with 0_RDWR on a NFSv4 filesystem.