puppet-selinux
puppet-selinux copied to clipboard
voxpupuli
Selinux port ensure => absent do not work with port_range
Affected Puppet, Ruby, OS and module versions/distributions
- Puppet: 5.5.x
- Ruby:
- Distribution: CentOS
- Module version: 3.2.0
How to reproduce (e.g Puppet code you use)
This example is based on mongo
semanage port -l | grep mongo mongod_port_t tcp 27017-27019, 28017-28019
selinux::port { 'mongo_port [27017,27019]': ensure => 'absent', seltype => 'mongod_port_t', protocol => 'tcp', port_range => [27017,27019], }
What are you seeing
Nothing happens
What behaviour did you expect instead
semanage port -l | grep mongo mongod_port_t tcp 28017-28019
Output log
This is from debug log Debug: /Stage[main]/Selinux::Config/before: before to Selinux::Port[mongo_port [27017,27019]] Debug: /Stage[main]/My_mongodb::Install/Selinux::Port[mongo_port [27017,27019]]/before: before to Anchor[selinux::module pre]
Any additional information you'd like to impart
@myMarck are those port definitions local modifications using a previous Puppet manifest or in the system policy? The SELinux module can't remove system definitions, only local customizations.
If you want to change the port definitions, you can add a definition that assigns the ports to some other SELinux type