Curious. Perhaps a global config setting for "prevent_apparent_useless_sudo" is needed.
IIRC, this caused problems with prompts in some cases -- but maybe it didn't and someone was optimizing something that didn't need to be optimized. On Fri, Apr 4, 2014 at 11:42 AM, Dustin C. Hatch <[email protected]>wrote: > On Fri, Apr 4, 2014 at 10:16 AM, Michael DeHaan <[email protected]> > wrote: > > "Unfortunately, it seems that > > Ansible thinks it is smarter than I am, and refuses to run my modules > > in sudo if the remote user is root, so everything fails with > > permission denied errors." > > > > This is true because sudo to the same user causes problems on lots of > > systems. > > > > This is the first I've heard of sudo to root from root giving different > > behavior than being root. > > > > Can you share some more details about your SELinux policy configuration? > > > > > It's the default Gentoo strict policy. Essentially the problem is that > when root logs in via ssh, it gets staff_r, and needs to transition to > sysadm_r in order to actually do anything. Normally, one would use > newrole to do the transition, but since root has no password, it can't > authenticate. These machines have the following entry in sudoers: > > root ALL = (ALL) ROLE=sysadm_r TYPE=sysadm_t ALL > > This allows root to transition to sysadm_r in order to run commands, > without needing to authenticate. It works perfectly from the command > line, but since Ansible won't run through sudo, root can't get the > sysadm_r role. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CAP8b%3DdxJrA4Kpd7rK7T_Sct6o0Z5ux2cZNOdOu3ussj%3DzWc%2B9Q%40mail.gmail.com > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAEVJ8QNf8radaWuHcZ4aTgVy0jT3CqD7mUFkyphmyvs1J7z_Kw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
