Use selinux facts to compare module checksums before copying to a node #144

bachradsusi · 2023-01-30T20:14:32Z

Should address #142

This is early development version which already supports standard cases on rhel8.-6 and later.

Even though it still needs to be finished, I'd appreciate any early feedback.

library/selinux_modules_facts.py

richm · 2023-01-30T20:53:28Z

tasks/main.yml

@@ -115,10 +115,9 @@
 - name: Load SELinux modules
  include_tasks: selinux_load_module.yml
  vars:
-    name: "{{ item.name | default('') }}"
+    name: "{{ item.name | default( item.path | basename | splitext | first ) }}"


Suggested change

name: "{{ item.name | default( item.path | basename | splitext | first ) }}"

name: "{{ item.name | default(item.path | basename | splitext | first) }}"

tasks/main.yml

tasks/selinux_load_module.yml

tests/tests_selinux_modules.yml

library/selinux_modules_facts.py

tasks/selinux_load_module.yml

richm · 2023-01-31T18:35:57Z

[citest]

richm · 2023-02-01T00:16:02Z

You'll need to rebase now that #145 is merged which should fix the CI test issues

richm · 2023-02-01T00:16:31Z

Also, if you really need to use become for some reason, see #145 for some alternatives.

- generate facts using libsemanage instead of spawning `semodule` - add modules checksum Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>

Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>

bachradsusi · 2023-02-01T10:00:54Z

[citest]

richm · 2023-02-01T13:46:37Z

[citest]

bachradsusi · 2023-02-01T14:06:42Z

Is there a way to get previous results? Ive waited for them several hours and now they're gone :)

richm · 2023-02-01T14:17:23Z

Is there a way to get previous results? Ive waited for them several hours and now they're gone :)

It's possible, but not easy. What I can tell you is that in the previous run all of the tests passed except for RHEL-9.2/ansible-2.14, RHEL-7.9/ansible-2.14, RHEL-6.10/ansible-2.9, Fedora-36/ansible-2.14
All of these look like a problem with the ci system, not with the selinux role, which is why I'm re-running to see if they pass. Looks like rhel6 has an issue with other roles so may have to cancel that one.

bachradsusi · 2023-02-01T14:35:50Z

ok

richm · 2023-02-01T15:26:52Z

@bachradsusi I think this is ready - do you want to remove the WIP?

bachradsusi · 2023-02-01T17:52:59Z

selinux_modules_facts module returns empty installed modules on rhel6:

10.0.137.51 | SUCCESS => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/bin/python",
        "selinux_checksums": true,
        "selinux_installed_modules": {},
        "selinux_priorities": false
    },
    "changed": false
}

Given that the libsemanage checksum is not supported on rhel6 and that the role doesn't use it, it's probably not a big deal but I guess I should fix it before it's merged.

- fallback to semanage_module_list() when there's no semanage_module_list_all() - use priority 0 when libsemanage does not support it

library/selinux_modules_facts.py

-        ).communicate()
+    checksums = True
+    try:
+        r, modinfo, num_modules = semanage.semanage_module_list_all(sh)


bachradsusi · 2023-02-02T10:14:58Z

[citest]

bachradsusi · 2023-02-02T13:40:53Z

I think it's ready.

[1.5.3] - 2023-02-02 -------------------- ### New Features - none ### Bug Fixes - Use selinux facts to compare module checksums before copying to a node (linux-system-roles#144) ### Other Changes - do not use 'become' in tests, examples (linux-system-roles#145) Signed-off-by: Rich Megginson <rmeggins@redhat.com>

[1.5.3] - 2023-02-02 -------------------- ### New Features - none ### Bug Fixes - Use selinux facts to compare module checksums before copying to a node (#144) ### Other Changes - do not use 'become' in tests, examples (#145) Signed-off-by: Rich Megginson <rmeggins@redhat.com>

github-advanced-security bot found potential problems Jan 30, 2023

View reviewed changes

library/selinux_modules_facts.py Fixed Show fixed Hide fixed