selinux icon indicating copy to clipboard operation
selinux copied to clipboard
verified publisher icon linux-system-roles

Only purge local modifications that are not mentioned in the config

Open tyll opened this issue 6 years ago • 4 comments

Currently the role removes all settings when purge variables are set and then adds the settings back again. AFAIU this could break a system in the time between purging and setting the values. Therefore it would be better to only remove the settings that are not mentioned, for example:

  1. add all settings if they are not yet set
  2. remove all remaining settings

This should ensure that if there is nothing to change, the role does not actually change the settings for a short amount of time. Also in case the role fails between 1. and 2., it will not have removed all the settings that might have been necessary to be able to access the host (for example when they are required for ssh access.)

tyll avatar Feb 06 '19 12:02 tyll

For booleans, I don't see how one can drop individual customizations, seems that the only thing that is supported is to drop all customizations (semanage boolean -D)

pcahyna avatar Feb 06 '19 13:02 pcahyna

In other words, while I like the idea, I am not sure how to implement it.

pcahyna avatar Feb 06 '19 13:02 pcahyna

@wrabcak do you have any idea, please?

pcahyna avatar May 28 '19 11:05 pcahyna

I don't think it's feasible to investigate which settings are not set yet and remove all remaining settings. But possible breakages could be minimized when a purge would be just before a set action. Something like:

diff --git a/tasks/main.yml b/tasks/main.yml
index afbe81f..f229e45 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -67,22 +67,6 @@
   command: /usr/sbin/semanage boolean -D
   when: selinux_booleans_purge | bool
 
-- name: Purge all SELinux file context local modifications
-  command: /usr/sbin/semanage fcontext -D
-  when: selinux_fcontexts_purge | bool
-
-- name: Purge all SELinux port local modifications
-  command: /usr/sbin/semanage port -D
-  when: selinux_ports_purge | bool
-
-- name: Purge all SELinux login local modifications
-  command: /usr/sbin/semanage login -D
-  when: selinux_logins_purge | bool
-
-- name: Reload SELinux policy
-  command: semodule -R
-  when: ansible_selinux.status != "disabled"
-
 - name: Set SELinux booleans
   seboolean:
     name: "{{ item.name }}"
@@ -90,6 +74,10 @@
     persistent: "{{ item.persistent | default('no') }}"
   with_items: "{{ selinux_booleans }}"
 
+- name: Purge all SELinux file context local modifications
+  command: /usr/sbin/semanage fcontext -D
+  when: selinux_fcontexts_purge | bool
+
 - name: Set SELinux file contexts
   sefcontext:
     target: "{{ item.target }}"
@@ -113,6 +101,10 @@
   check_mode: no
   when: ansible_check_mode
 
+- name: Purge all SELinux port local modifications
+  command: /usr/sbin/semanage port -D
+  when: selinux_ports_purge | bool
+
 - name: Set an SELinux label on a port
   seport:
     ports: "{{ item.ports }}"
@@ -121,6 +113,10 @@
     state: "{{ item.state | default(present) }}"
   with_items: "{{ selinux_ports }}"
 
+- name: Purge all SELinux login local modifications
+  command: /usr/sbin/semanage login -D
+  when: selinux_logins_purge | bool
+
 - name: Set linux user to SELinux user mapping
   selogin:
     login: "{{ item.login }}"

bachradsusi avatar May 28 '19 12:05 bachradsusi