On Wed, 4 Jan 2017, Andy Mangion wrote:
I am using Ansible 2.2 and wanted to implement a step to set a selinux
context of a file using the sefcontext module. After some work to get it to
work on RHEL 7; it is successfully writing to the local policy file the new
rules I defined however the files are still not getting the updates (doing
ls -Z still shows the old context on the file). Subsequently doing a
restorecon on the files would force restoration of the policy and hence
solve the issue but I was wondering if this should be somehow be included
as functionality of the sefcontext module. Also I see that the module has a
reload option which by default I'm leaving to True what is the purpose of
this option exactly?
I can definitely fix the issue by explicitly running the restorecon command
through ansible, but I would like to understand if there is a better way
which I'm missing.
Hi,
I wrote the sefcontext module.
The sefcontext module is roughly the functionality that 'semanage
fcontext' provides you. It allows you to add SELinux file context
mappings to the internal database.
Now, the module is not intended to change file contexts based on the
mapping, just like 'semanage fcontext' does not do. (See man semanage)
As you said, you can do this with restorecon, or the file module, or
simply making sure that you first create the required file contexts before
you start using the locations, in which case the SELinux file contexts
will be applied automatically to new files.
The reload option is there to reload the SELinux policy after making
changes. And it is by default turned on because that's what most people
would expect. (It makes the changes active immediately to be used)
PS If the documentation was confusing, let me know what you would change
to it to make things more obvious. I am all for improving things !
Kind regards,
--
Dag
--
You received this message because you are subscribed to the Google Groups "Ansible
Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/alpine.LRH.2.20.1701070411430.19483%40pikachu.3ti.be.
For more options, visit https://groups.google.com/d/optout.
