Thanks sir; that makes sense. It appears my question was more due to my limited experience in selinux rather than poor documentation so I wouldn't suggest a change in documentation for now.
Regards, Andy On Saturday, 7 January 2017 04:20:16 UTC+1, Dag Wieers wrote: > > On Wed, 4 Jan 2017, Andy Mangion wrote: > > > I am using Ansible 2.2 and wanted to implement a step to set a selinux > > context of a file using the sefcontext module. After some work to get it > to > > work on RHEL 7; it is successfully writing to the local policy file the > new > > rules I defined however the files are still not getting the updates > (doing > > ls -Z still shows the old context on the file). Subsequently doing a > > restorecon on the files would force restoration of the policy and hence > > solve the issue but I was wondering if this should be somehow be > included > > as functionality of the sefcontext module. Also I see that the module > has a > > reload option which by default I'm leaving to True what is the purpose > of > > this option exactly? > > > > I can definitely fix the issue by explicitly running the restorecon > command > > through ansible, but I would like to understand if there is a better way > > which I'm missing. > > Hi, > > I wrote the sefcontext module. > > The sefcontext module is roughly the functionality that 'semanage > fcontext' provides you. It allows you to add SELinux file context > mappings to the internal database. > > Now, the module is not intended to change file contexts based on the > mapping, just like 'semanage fcontext' does not do. (See man semanage) > > As you said, you can do this with restorecon, or the file module, or > simply making sure that you first create the required file contexts before > you start using the locations, in which case the SELinux file contexts > will be applied automatically to new files. > > The reload option is there to reload the SELinux policy after making > changes. And it is by default turned on because that's what most people > would expect. (It makes the changes active immediately to be used) > > PS If the documentation was confusing, let me know what you would change > to it to make things more obvious. I am all for improving things ! > > Kind regards, > -- > Dag > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/d9e07fc4-797a-46c0-98ae-ebf2a31ade03%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
