In my environment, I found that we had to add the “remote_tmp” variable and
make it unique per user. I think you’re running into the same thing if you
look at the error message from that point of view:
Permission denied:
unix_listener: *cannot bind to path: /root*/.ansible/cp/<random string of
characters>
If it’s the same issue I experienced, adding this to my user (or service
account) “.ansible.cfg” file helped:
[defaults]
remote_tmp = /tmp/ansible.${USER}
And yes, that is a literal "${USER}" in the path - when the remote machine
sets the variable it is expanded to the user account that Ansible connected
as.
Dan
On Monday, December 6, 2021 at 8:59:26 AM UTC-6 Ryan P wrote:
> Hi all,
>
> My Ansible server has lost the ability to login to any of my hosts (itself
> included) and I am hoping others have had a similar issue.
>
> The server in question is a RHEL7 server that is required to be configured
> according to the DISA STIG. In particular, after
> implementing RHEL-07-020023 - which requires administrative groups in
> sudoers to have the sysadm_r and sysadm_t role applied, Ansible completely
> loses its ability to log into the hosts. The error is as follows:
>
> Permission denied:
> unix_listener: cannot bind to path: /root/.ansible/cp/<random string of
> characters>
>
> When switching back to unconfined_r and unconfined_t, Ansible works as
> expected.
>
> Unfortunately I'm not able to dispute with my security department as to
> why the sysadm context is a just a drunken version of the unconfined
> context, so if anyone has any suggestions I would be extremely grateful.
>
> - Ryan P
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to ansible-project+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/0d8a2ac4-8b3a-45b3-80d3-a4537e36260cn%40googlegroups.com.
