Afternoon,
I am attempting to convert a task that currently use shell to use
sefcontext module and its not working as documented. Have anyone
previously used this module successfully? Below is my intention and
observation.
The current working solution
chcon -R -t httpd_sys_rw_content_t {{svn_root}}/projects
The task that are currently not working
- name: Set http security context
sefcontext: setype=httpd_sys_content_t
target='{{svn_root}}/projects(/.*)?' state=present
tags:
- selinux_svn
- name: set context that enables commits over http
sefcontext: setype=httpd_sys_rw_content_t
target='{{svn_root}}/projects(/.*)?' state=present
tags:
- selinux_svn
The result of running above task in verbose mode
TASK [svn : Set http security context]
***************************************************************************************************************************************************************************
task path: /etc/ansible/roles/svn/tasks/main.yml:54
changed: [palladium.eng.example.com] => {
"changed": true,
"ftype": "a",
"invocation": {
"module_args": {
"ftype": "a",
"reload": true,
"selevel": null,
"setype": "httpd_sys_content_t",
"seuser": null,
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
},
"serange": "s0",
"setype": "httpd_sys_content_t",
"seuser": "system_u",
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
TASK [svn : set context that enables commits over http]
**********************************************************************************************************************************************************
task path: /etc/ansible/roles/svn/tasks/main.yml:59
onnection to palladium.eng.example.com closed.\r\n')
changed: [palladium.eng.example.com] => {
"changed": true,
"ftype": "a",
"invocation": {
"module_args": {
"ftype": "a",
"reload": true,
"selevel": null,
"setype": "httpd_sys_rw_content_t",
"seuser": null,
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
},
"serange": "s0",
"setype": "httpd_sys_rw_content_t",
"seuser": "system_u",
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
Result when using the sefcontext ansible module
[root@palladium ~]# ls -lZ /var/repos/svn/projects
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 conf
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 dav
drwxr-sr-x. apache apache unconfined_u:object_r:var_t:s0 db
-r--r--r--. apache apache unconfined_u:object_r:var_t:s0 format
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 hooks
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 locks
-rw-r--r--. apache apache unconfined_u:object_r:var_t:s0 README.txt
If I use the shell, it work and the file are labeled as below. (Result
when using operating system tool)
[root@palladium ~]# ls -ltrZ /var/repos/svn/projects
-rw-r--r--. apache apache
unconfined_u:object_r:httpd_sys_rw_content_t:s0 README.txt
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 locks
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 hooks
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 dav
-r--r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 format
drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 db
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 conf
[root@palladium ~]#
What could I be doing wrong? Could this be a bug on the module?
Regards,
William
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/CAE9rU%2B43sEFnExAZPJTYALjtW%2BiwNFh3MnHbpk9Y6PiLWpvQNg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
