* Fwd: SElinux user tools 2.5 change
[not found] <35737536-B901-44F9-8336-509CDA386932@wal-mart.com>
@ 2016-06-30 21:47 ` Daniel J Walsh
2016-07-01 2:19 ` Steve Lawrence
0 siblings, 1 reply; 3+ messages in thread
From: Daniel J Walsh @ 2016-06-30 21:47 UTC (permalink / raw)
To: Stephen Smalley, James Carter, Miroslav Grepl, Lukas Vrabec, SELinux
[-- Attachment #1: Type: text/plain, Size: 756 bytes --]
A customer is asking:
The SELinux userspace tools version 2.5 introduced a change to remove
the semodule version from the semodule –l output. This poses problems
for people (like us) who are using configuration management tools like
Puppet to manage SELinux modules – how is Puppet supposed to know which
version of the module is installed? Should it try to load the module
every time?
I have raised the issue with Puppet as
https://tickets.puppetlabs.com/browse/PUP-5649 but I believe the real
question should be, how is a config management system supposed to know
which version of a module to try to install?
Thanks for any assistance you can provide with this, and we will
continue to run in enforcing mode by default for RHEL 7+.
[-- Attachment #2: Type: text/html, Size: 1840 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: SElinux user tools 2.5 change
2016-06-30 21:47 ` Fwd: SElinux user tools 2.5 change Daniel J Walsh
@ 2016-07-01 2:19 ` Steve Lawrence
2016-07-02 12:43 ` Daniel J Walsh
0 siblings, 1 reply; 3+ messages in thread
From: Steve Lawrence @ 2016-07-01 2:19 UTC (permalink / raw)
To: Daniel J Walsh, Stephen Smalley, James Carter, Miroslav Grepl,
Lukas Vrabec, SELinux
On 06/30/2016 05:47 PM, Daniel J Walsh wrote:
> A customer is asking:
>
> The SELinux userspace tools version 2.5 introduced a change to remove the
> semodule version from the semodule –l output. This poses problems for people
> (like us) who are using configuration management tools like Puppet to manage
> SELinux modules – how is Puppet supposed to know which version of the module is
> installed? Should it try to load the module every time?
>
> I have raised the issue with Puppet as
> https://tickets.puppetlabs.com/browse/PUP-5649 but I believe the real question
> should be, how is a config management system supposed to know which version of a
> module to try to install?
>
> Thanks for any assistance you can provide with this, and we will continue to run
> in enforcing mode by default for RHEL 7+.
I would argue version numbers have never really meant anything. Nothing
forced you to update the module version when you made changes aside from
convention. So you could easily have two version 1.0's that are
completely different.
I imagine puppet and other configuration managers have some concept of
hash verification to determine what files are installed on the target
machine, and if they need to be updated to something else (similar to
git). That, to me, seems the better and more conclusive way to ensure
that the right modules are installed.
There is currently no API to get the hash of a module, but one could
manually hash the files that are in the policy store. If we need a more
user friendly method, I imagine it wouldn't be too difficult to add some
kind of hash to semodule -l output. Do either of those options seem
reasonable?
- Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: SElinux user tools 2.5 change
2016-07-01 2:19 ` Steve Lawrence
@ 2016-07-02 12:43 ` Daniel J Walsh
0 siblings, 0 replies; 3+ messages in thread
From: Daniel J Walsh @ 2016-07-02 12:43 UTC (permalink / raw)
To: Steve Lawrence, Stephen Smalley, James Carter, Miroslav Grepl,
Lukas Vrabec, SELinux
On 06/30/2016 07:19 PM, Steve Lawrence wrote:
> On 06/30/2016 05:47 PM, Daniel J Walsh wrote:
>> A customer is asking:
>>
>> The SELinux userspace tools version 2.5 introduced a change to remove the
>> semodule version from the semodule –l output. This poses problems for people
>> (like us) who are using configuration management tools like Puppet to manage
>> SELinux modules – how is Puppet supposed to know which version of the module is
>> installed? Should it try to load the module every time?
>>
>> I have raised the issue with Puppet as
>> https://tickets.puppetlabs.com/browse/PUP-5649 but I believe the real question
>> should be, how is a config management system supposed to know which version of a
>> module to try to install?
>>
>> Thanks for any assistance you can provide with this, and we will continue to run
>> in enforcing mode by default for RHEL 7+.
> I would argue version numbers have never really meant anything. Nothing
> forced you to update the module version when you made changes aside from
> convention. So you could easily have two version 1.0's that are
> completely different.
>
> I imagine puppet and other configuration managers have some concept of
> hash verification to determine what files are installed on the target
> machine, and if they need to be updated to something else (similar to
> git). That, to me, seems the better and more conclusive way to ensure
> that the right modules are installed.
>
> There is currently no API to get the hash of a module, but one could
> manually hash the files that are in the policy store. If we need a more
> user friendly method, I imagine it wouldn't be too difficult to add some
> kind of hash to semodule -l output. Do either of those options seem
> reasonable?
>
> - Steve
I can suggest that to the customer and get a change into semanage/semodule.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-07-02 12:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <35737536-B901-44F9-8336-509CDA386932@wal-mart.com>
2016-06-30 21:47 ` Fwd: SElinux user tools 2.5 change Daniel J Walsh
2016-07-01 2:19 ` Steve Lawrence
2016-07-02 12:43 ` Daniel J Walsh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.