selinux_module force install mode
Opened this issue · 4 comments
🙍 Problem Statement
The "selinux_module" resource would skip the install, if the module is already installed. So there is no way to install a new version without first removing the module first. But removing the module can cause run time issue.
❔ Possible Solution
This is a fundamental issue since RHEL8 "semodule -l" no longer provides the module version information. So any solution would assume the absence of the information. I ended up with a workaround.
- I save the downloaded policy .pp file.
- When the policy is installed, I create a ".pp.install_flag" file.
- I do a a check whether the ".pp.install_flag" file is newer than ".pp" file. If yes, skip the install, otherwise call the "selinux_module" resource.
But for this to work (to install the updated module), there need to be a "force_install" mode for the "selinux_module" resource.
⤴️ Describe alternatives you've considered
I am not aware of any, and would welcome ideas.
➕ Additional context
If it's acceptable, I submit a PR to add the "force_install" flag.
Have you looked at the built-in resource in chef-client https://docs.chef.io/resources/selinux_module/
Otherwise what i've done in the past to help with idempotency for something like this is to write the config into a file resource. Then the file resource calls the custom resource with notifies and desired action. Thus if file's content changes due to module configuration changes then it triggers the update.
@Stromweld Any further comments?