* Fwd: SElinux user tools 2.5 change [not found] <35737536-B901-44F9-8336-509CDA386932@wal-mart.com> @ 2016-06-30 21:47 ` Daniel J Walsh 2016-07-01 2:19 ` Steve Lawrence 0 siblings, 1 reply; 3+ messages in thread From: Daniel J Walsh @ 2016-06-30 21:47 UTC (permalink / raw) To: Stephen Smalley, James Carter, Miroslav Grepl, Lukas Vrabec, SELinux [-- Attachment #1: Type: text/plain, Size: 756 bytes --] A customer is asking: The SELinux userspace tools version 2.5 introduced a change to remove the semodule version from the semodule –l output. This poses problems for people (like us) who are using configuration management tools like Puppet to manage SELinux modules – how is Puppet supposed to know which version of the module is installed? Should it try to load the module every time? I have raised the issue with Puppet as https://tickets.puppetlabs.com/browse/PUP-5649 but I believe the real question should be, how is a config management system supposed to know which version of a module to try to install? Thanks for any assistance you can provide with this, and we will continue to run in enforcing mode by default for RHEL 7+. [-- Attachment #2: Type: text/html, Size: 1840 bytes --] ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: SElinux user tools 2.5 change 2016-06-30 21:47 ` Fwd: SElinux user tools 2.5 change Daniel J Walsh @ 2016-07-01 2:19 ` Steve Lawrence 2016-07-02 12:43 ` Daniel J Walsh 0 siblings, 1 reply; 3+ messages in thread From: Steve Lawrence @ 2016-07-01 2:19 UTC (permalink / raw) To: Daniel J Walsh, Stephen Smalley, James Carter, Miroslav Grepl, Lukas Vrabec, SELinux On 06/30/2016 05:47 PM, Daniel J Walsh wrote: > A customer is asking: > > The SELinux userspace tools version 2.5 introduced a change to remove the > semodule version from the semodule –l output. This poses problems for people > (like us) who are using configuration management tools like Puppet to manage > SELinux modules – how is Puppet supposed to know which version of the module is > installed? Should it try to load the module every time? > > I have raised the issue with Puppet as > https://tickets.puppetlabs.com/browse/PUP-5649 but I believe the real question > should be, how is a config management system supposed to know which version of a > module to try to install? > > Thanks for any assistance you can provide with this, and we will continue to run > in enforcing mode by default for RHEL 7+. I would argue version numbers have never really meant anything. Nothing forced you to update the module version when you made changes aside from convention. So you could easily have two version 1.0's that are completely different. I imagine puppet and other configuration managers have some concept of hash verification to determine what files are installed on the target machine, and if they need to be updated to something else (similar to git). That, to me, seems the better and more conclusive way to ensure that the right modules are installed. There is currently no API to get the hash of a module, but one could manually hash the files that are in the policy store. If we need a more user friendly method, I imagine it wouldn't be too difficult to add some kind of hash to semodule -l output. Do either of those options seem reasonable? - Steve ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: SElinux user tools 2.5 change 2016-07-01 2:19 ` Steve Lawrence @ 2016-07-02 12:43 ` Daniel J Walsh 0 siblings, 0 replies; 3+ messages in thread From: Daniel J Walsh @ 2016-07-02 12:43 UTC (permalink / raw) To: Steve Lawrence, Stephen Smalley, James Carter, Miroslav Grepl, Lukas Vrabec, SELinux On 06/30/2016 07:19 PM, Steve Lawrence wrote: > On 06/30/2016 05:47 PM, Daniel J Walsh wrote: >> A customer is asking: >> >> The SELinux userspace tools version 2.5 introduced a change to remove the >> semodule version from the semodule –l output. This poses problems for people >> (like us) who are using configuration management tools like Puppet to manage >> SELinux modules – how is Puppet supposed to know which version of the module is >> installed? Should it try to load the module every time? >> >> I have raised the issue with Puppet as >> https://tickets.puppetlabs.com/browse/PUP-5649 but I believe the real question >> should be, how is a config management system supposed to know which version of a >> module to try to install? >> >> Thanks for any assistance you can provide with this, and we will continue to run >> in enforcing mode by default for RHEL 7+. > I would argue version numbers have never really meant anything. Nothing > forced you to update the module version when you made changes aside from > convention. So you could easily have two version 1.0's that are > completely different. > > I imagine puppet and other configuration managers have some concept of > hash verification to determine what files are installed on the target > machine, and if they need to be updated to something else (similar to > git). That, to me, seems the better and more conclusive way to ensure > that the right modules are installed. > > There is currently no API to get the hash of a module, but one could > manually hash the files that are in the policy store. If we need a more > user friendly method, I imagine it wouldn't be too difficult to add some > kind of hash to semodule -l output. Do either of those options seem > reasonable? > > - Steve I can suggest that to the customer and get a change into semanage/semodule. ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-07-02 12:43 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <35737536-B901-44F9-8336-509CDA386932@wal-mart.com>
2016-06-30 21:47 ` Fwd: SElinux user tools 2.5 change Daniel J Walsh
2016-07-01 2:19 ` Steve Lawrence
2016-07-02 12:43 ` Daniel J Walsh
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.