----- Original Message -----
From: "Steve Huston" <huston(a)astro.princeton.edu>
To: selinux(a)lists.fedoraproject.org
Sent: Thursday, November 17, 2016 1:41:51 PM
Subject: Policy module versioning
In the last few days I've upgraded a couple test systems to RHEL 7.3,
and with that came a new version of policycoreutils (named 2.5-9.el7,
up from 2.2.5-20). I found where some time ago the 'semodule' command
was modified to remove the version information from the output, which
has an unintended side effect of breaking my puppet modules that
maintain local selinux modules and verify the version running is equal
to the one in the manifest. The comment in the checkin (e599a4)
states that CIL does not have a concept of versions, so it's being
removed.
My question is, what is a good way to determine that the module that
is installed and running matches the one in a specific .te file? I
could of course tell puppet to trigger a rebuild of the .pp file if
the .te has been modified, but it seems without rebuilding and/or
reinstalling every puppet run there's no good way to verify that the
version in memory is the one I've intended.
This would depend on the priority of the module
semodule -lfull
More info available here:
http://blog-bachradsusi.rhcloud.com/2015/06/05/selinux-modules-priority/
--
Steve Huston - W2SRH - Unix Sysadmin, PICSciE/CSES & Astrophysical Sci
Princeton University | ICBM Address: 40.346344 -74.652242
345 Lewis Library |"On my ship, the Rocinante, wheeling through
Princeton, NJ 08544 | the galaxies; headed for the heart of Cygnus,
(267) 793-0852 | headlong into mystery." -Rush, 'Cygnus X-1'
_______________________________________________
selinux mailing list -- selinux(a)lists.fedoraproject.org
To unsubscribe send an email to selinux-leave(a)lists.fedoraproject.org
--
Simon Sekidde * Red Hat, Inc. * Tyson's Corner, VA
gpg: 5848 958E 73BA 04D3 7C06 F096 1BA1 2DBF 94BC 377E