Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add the ability to *disable* an existing module #60

Open
TJM opened this issue Oct 7, 2015 · 7 comments
Open

Add the ability to *disable* an existing module #60

TJM opened this issue Oct 7, 2015 · 7 comments
Labels
enhancement New feature or request
Milestone
1.x.y

Comments

@TJM
Copy link
Contributor

TJM commented Oct 7, 2015

It would be nice if there was a way to disable an existing module, like:

semodule -d openvpn

maybe something like:

selinux::module{'openvpn':
    ensure => 'disabled',
}
@vinzent
Copy link
Contributor

vinzent commented Dec 23, 2016

unfortunatly there is no support in selmodule type for disable.

https://docs.puppet.com/puppet/latest/types/selmodule.html#selmodule-attribute-ensure

@vinzent
Copy link
Contributor

vinzent commented Jan 17, 2017

@TJM can you describe what benefit you see to the workaround of simply removing the module? what problem would it solve for you?

please comment within the next few days if you feel this is an important feature.

@vinzent vinzent added the enhancement New feature or request label Jan 17, 2017
@TJM
Copy link
Contributor Author

TJM commented Jan 17, 2017

@vinzent - MySQL is the most common example, when trying to use Galera Cluster. If you just "remove" the mysql module, then each time the selinux packages are updated, they re-install and it makes the cluster fail. The module needs to be "present" but "disabled" in order to make sure that that it doesn't "break" the cluster during package updates.

It may be such that there needs to be an "upstream" bug, or a different type/provider? I am glad that someone is "looking" at this.

Thanks,
Tommy

@vinzent
Copy link
Contributor

vinzent commented Jan 17, 2017
edited
Loading

@TJM I did see galera and selinux playing nicely. needed just a small addition to the policy because of few not myql-default paths (at least if I remember correctly).

but nonetheless this sounds like a valid use case.

at least there is some hope of a solution because

$ sudo semanage module --list --locallist

Modulname                 Priorität Sprache

gear                      100       pp    Deaktiviert
sandbox                   400       pp    Deaktiviert

lists disabled modules on Fedora25. need to verify with older semanag versions.

@vinzent vinzent added this to the 2.x.y milestone Jan 17, 2017
@TJM
Copy link
Contributor Author

TJM commented Jan 17, 2017

We had issues with the "mysql" and "rsync" modules, come to think of it, cause Galera tries to run rsync on a "non-standard" port. CentOS 6 supports disabled modules as well..

# semanage module --list | grep Disable
mysql                    1.11.3    Disabled
rsync                    1.9.1     Disabled

@vinzent vinzent mentioned this issue Jan 17, 2017
Closed
@vinzent
Copy link
Contributor

vinzent commented Jan 17, 2017

@TJM please comment also on #178 which is about redesigning selinux::module params.

@oranenj
Copy link
Contributor

oranenj commented Jan 29, 2017
edited
Loading

This might be quite non-trivial to implement. essentially it seems we'd have to reimplement the selmodule type entirely... Which might happen eventually, anyway, considering how buggy it currently is.

Additionally, semodule --list-modules behaves differently in newer versions which makes it harder to maintain backwards compatibility.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
1.x.y
Development

No branches or pull requests
3 participants
@oranenj @vinzent @TJM