search

sous-chefs / selinux

Development repository for the selinux cookbook
https://supermarket.chef.io/cookbooks/selinux
Apache License 2.0
58 stars 70 forks source link

selinux_module force install mode #118

Open ywei2017 opened 4 months ago

ywei2017 commented 4 months ago

:frowning_person: Problem Statement

The "selinux_module" resource would skip the install, if the module is already installed. So there is no way to install a new version without first removing the module first. But removing the module can cause run time issue.

:grey_question: Possible Solution

This is a fundamental issue since RHEL8 "semodule -l" no longer provides the module version information. So any solution would assume the absence of the information. I ended up with a workaround.

  1. I save the downloaded policy .pp file.
  2. When the policy is installed, I create a ".pp.install_flag" file.
  3. I do a a check whether the ".pp.install_flag" file is newer than ".pp" file. If yes, skip the install, otherwise call the "selinux_module" resource.

But for this to work (to install the updated module), there need to be a "force_install" mode for the "selinux_module" resource.

:arrow_heading_up: Describe alternatives you've considered

I am not aware of any, and would welcome ideas.

:heavy_plus_sign: Additional context

If it's acceptable, I submit a PR to add the "force_install" flag.

Stromweld commented 4 months ago

Have you looked at the built-in resource in chef-client https://docs.chef.io/resources/selinux_module/

Stromweld commented 4 months ago

Otherwise what i've done in the past to help with idempotency for something like this is to write the config into a file resource. Then the file resource calls the custom resource with notifies and desired action. Thus if file's content changes due to module configuration changes then it triggers the update.

ywei2017 commented 4 months ago

We are not using the built in module resource, since we are on older version of Chef.

The notification is a good idea. Would that also need the force_install switch?

Thanks

On Mon, Apr 15, 2024 at 2:41 PM Corey Hemminger @.***> wrote:

Otherwise what i've done in the past to help with idempotency for something like this is to write the config into a file resource. Then the file resource calls the custom resource with notifies and desired action. Thus if file's content changes due to module configuration changes then it triggers the update.

— Reply to this email directly, view it on GitHub https://github.com/sous-chefs/selinux/issues/118#issuecomment-2057671443, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHJK3CPWLSQP7RWIULIZNGLY5QUOFAVCNFSM6AAAAABGHZ6TYCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJXGY3TCNBUGM . You are receiving this because you authored the thread.Message ID: @.***>

ywei2017 commented 4 months ago

@Stromweld Any further comments?