On 11/17/2016 07:41 PM, Steve Huston wrote: > In the last few days I've upgraded a couple test systems to RHEL 7.3, > and with that came a new version of policycoreutils (named 2.5-9.el7, > up from 2.2.5-20). I found where some time ago the 'semodule' command > was modified to remove the version information from the output, which > has an unintended side effect of breaking my puppet modules that > maintain local selinux modules and verify the version running is equal > to the one in the manifest. The comment in the checkin (e599a4) > states that CIL does not have a concept of versions, so it's being > removed. While CIL doesn't have versions, majority of modules are still installed from .pp and the original .pp files is stored in SELinux module store so it's possible to show versions for these modules. There's planned update to revert the behavior of 'semodule -l' to show versions or '(null)' in case of CIL module, see https://bugzilla.redhat.com/show_bug.cgi?id=1392573 > My question is, what is a good way to determine that the module that > is installed and running matches the one in a specific .te file? I > could of course tell puppet to trigger a rebuild of the .pp file if > the .te has been modified, but it seems without rebuilding and/or > reinstalling every puppet run there's no good way to verify that the > version in memory is the one I've intended. > I wrote a simple how to compare SELinux modules, see https://plautrba.fedorapeople.org/blok/How-to-compare-two-SELinux-modules.html It needs to extract a module from the store first, but it's basically the same concept as using directly <store-root>/targeted/active/modules/400/my_module/hll file. Note that in RHEL-7.3, store-root is set to /etc/selinux Petr -- Petr Lautrbach _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
