Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

selinux_module force install mode #118

Open
ywei2017 opened this issue Apr 15, 2024 · 4 comments
Open

selinux_module force install mode #118

ywei2017 opened this issue Apr 15, 2024 · 4 comments
Labels
Feature Request Enhancement to existing functionality or new functionality

Comments

@ywei2017
Copy link
Contributor

🙍 Problem Statement

The "selinux_module" resource would skip the install, if the module is already installed. So there is no way to install a new version without first removing the module first. But removing the module can cause run time issue.

❔ Possible Solution

This is a fundamental issue since RHEL8 "semodule -l" no longer provides the module version information. So any solution would assume the absence of the information. I ended up with a workaround.

  1. I save the downloaded policy .pp file.
  2. When the policy is installed, I create a ".pp.install_flag" file.
  3. I do a a check whether the ".pp.install_flag" file is newer than ".pp" file. If yes, skip the install, otherwise call the "selinux_module" resource.

But for this to work (to install the updated module), there need to be a "force_install" mode for the "selinux_module" resource.

⤴️ Describe alternatives you've considered

I am not aware of any, and would welcome ideas.

➕ Additional context

If it's acceptable, I submit a PR to add the "force_install" flag.

@ywei2017 ywei2017 added the Feature Request Enhancement to existing functionality or new functionality label Apr 15, 2024
@Stromweld
Copy link
Contributor

Have you looked at the built-in resource in chef-client https://docs.chef.io/resources/selinux_module/

@Stromweld
Copy link
Contributor

Otherwise what i've done in the past to help with idempotency for something like this is to write the config into a file resource. Then the file resource calls the custom resource with notifies and desired action. Thus if file's content changes due to module configuration changes then it triggers the update.

@ywei2017
Copy link
Contributor Author

ywei2017 commented Apr 16, 2024 via email

@ywei2017
Copy link
Contributor Author

@Stromweld Any further comments?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Feature Request Enhancement to existing functionality or new functionality
Projects
None yet
Development

No branches or pull requests

2 participants