On Fri, Apr 4, 2014 at 10:16 AM, Michael DeHaan <[email protected]> wrote: > "Unfortunately, it seems that > Ansible thinks it is smarter than I am, and refuses to run my modules > in sudo if the remote user is root, so everything fails with > permission denied errors." > > This is true because sudo to the same user causes problems on lots of > systems. > > This is the first I've heard of sudo to root from root giving different > behavior than being root. > > Can you share some more details about your SELinux policy configuration? > > It's the default Gentoo strict policy. Essentially the problem is that when root logs in via ssh, it gets staff_r, and needs to transition to sysadm_r in order to actually do anything. Normally, one would use newrole to do the transition, but since root has no password, it can't authenticate. These machines have the following entry in sudoers:
root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL This allows root to transition to sysadm_r in order to run commands, without needing to authenticate. It works perfectly from the command line, but since Ansible won't run through sudo, root can't get the sysadm_r role. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAP8b%3DdxJrA4Kpd7rK7T_Sct6o0Z5ux2cZNOdOu3ussj%3DzWc%2B9Q%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
