Selinux port ensure => absent do not work with port_range

Question

Selinux port ensure => absent do not work with port_range

myMarck opened this issue 4 years ago · 2 comments

myMarck commented 4 years ago

Affected Puppet, Ruby, OS and module versions/distributions

Puppet: 5.5.x
Ruby:
Distribution: CentOS
Module version: 3.2.0

How to reproduce (e.g Puppet code you use)

This example is based on mongo

semanage port -l | grep mongo
mongod_port_t tcp 27017-27019, 28017-28019

selinux::port { 'mongo_port [27017,27019]':
ensure => 'absent',
seltype => 'mongod_port_t',
protocol => 'tcp',
port_range => [27017,27019],
}

What are you seeing

Nothing happens

What behaviour did you expect instead

semanage port -l | grep mongo
mongod_port_t tcp 28017-28019

Output log

This is from debug log
Debug: /Stage[main]/Selinux::Config/before: before to Selinux::Port[mongo_port [27017,27019]]
Debug: /Stage[main]/My_mongodb::Install/Selinux::Port[mongo_port [27017,27019]]/before: before to Anchor[selinux::module pre]

Any additional information you'd like to impart

Answer 1 · 2021-05-18T10:35:40.000Z

@myMarck are those port definitions local modifications using a previous Puppet manifest or in the system policy? The SELinux module can't remove system definitions, only local customizations.

Answer 2 · 2021-05-18T10:36:34.000Z

If you want to change the port definitions, you can add a definition that assigns the ports to some other SELinux type