-
-
Notifications
You must be signed in to change notification settings - Fork 148
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the ability to *disable* an existing module #60
Comments
unfortunatly there is no support in selmodule type for disable. https://docs.puppet.com/puppet/latest/types/selmodule.html#selmodule-attribute-ensure |
@TJM can you describe what benefit you see to the workaround of simply removing the module? what problem would it solve for you? please comment within the next few days if you feel this is an important feature. |
@vinzent - MySQL is the most common example, when trying to use Galera Cluster. If you just "remove" the mysql module, then each time the selinux packages are updated, they re-install and it makes the cluster fail. The module needs to be "present" but "disabled" in order to make sure that that it doesn't "break" the cluster during package updates. It may be such that there needs to be an "upstream" bug, or a different type/provider? I am glad that someone is "looking" at this. Thanks, |
@TJM I did see galera and selinux playing nicely. needed just a small addition to the policy because of few not myql-default paths (at least if I remember correctly). but nonetheless this sounds like a valid use case. at least there is some hope of a solution because
lists disabled modules on Fedora25. need to verify with older semanag versions. |
We had issues with the "mysql" and "rsync" modules, come to think of it, cause Galera tries to run rsync on a "non-standard" port. CentOS 6 supports disabled modules as well..
|
This might be quite non-trivial to implement. essentially it seems we'd have to reimplement the selmodule type entirely... Which might happen eventually, anyway, considering how buggy it currently is. Additionally, semodule --list-modules behaves differently in newer versions which makes it harder to maintain backwards compatibility. |
It would be nice if there was a way to disable an existing module, like:
semodule -d openvpn
maybe something like:
The text was updated successfully, but these errors were encountered: