puppet-selinux icon indicating copy to clipboard operation
puppet-selinux copied to clipboard

Published 20 hours ago verified publisher icon voxpupuli

Add the ability to *disable* an existing module

Open TJM opened this issue 9 years ago • 7 comments

It would be nice if there was a way to disable an existing module, like:

semodule -d openvpn

maybe something like:

selinux::module{'openvpn':
    ensure => 'disabled',
}

TJM avatar Oct 07 '15 17:10 TJM

unfortunatly there is no support in selmodule type for disable.

https://docs.puppet.com/puppet/latest/types/selmodule.html#selmodule-attribute-ensure

vinzent avatar Dec 23 '16 08:12 vinzent

@TJM can you describe what benefit you see to the workaround of simply removing the module? what problem would it solve for you?

please comment within the next few days if you feel this is an important feature.

vinzent avatar Jan 17 '17 07:01 vinzent

@vinzent - MySQL is the most common example, when trying to use Galera Cluster. If you just "remove" the mysql module, then each time the selinux packages are updated, they re-install and it makes the cluster fail. The module needs to be "present" but "disabled" in order to make sure that that it doesn't "break" the cluster during package updates.

It may be such that there needs to be an "upstream" bug, or a different type/provider? I am glad that someone is "looking" at this.

Thanks, Tommy

TJM avatar Jan 17 '17 21:01 TJM

@TJM I did see galera and selinux playing nicely. needed just a small addition to the policy because of few not myql-default paths (at least if I remember correctly).

but nonetheless this sounds like a valid use case.

at least there is some hope of a solution because

$ sudo semanage module --list --locallist

Modulname                 Priorität Sprache

gear                      100       pp    Deaktiviert
sandbox                   400       pp    Deaktiviert

lists disabled modules on Fedora25. need to verify with older semanag versions.

vinzent avatar Jan 17 '17 21:01 vinzent

We had issues with the "mysql" and "rsync" modules, come to think of it, cause Galera tries to run rsync on a "non-standard" port. CentOS 6 supports disabled modules as well..

# semanage module --list | grep Disable
mysql                    1.11.3    Disabled
rsync                    1.9.1     Disabled

TJM avatar Jan 17 '17 21:01 TJM

@TJM please comment also on #178 which is about redesigning selinux::module params.

vinzent avatar Jan 17 '17 21:01 vinzent

This might be quite non-trivial to implement. essentially it seems we'd have to reimplement the selmodule type entirely... Which might happen eventually, anyway, considering how buggy it currently is.

Additionally, semodule --list-modules behaves differently in newer versions which makes it harder to maintain backwards compatibility.

oranenj avatar Jan 29 '17 17:01 oranenj