invalid selinux context
675 views
Skip to first unread message
Pablo Hinojosa Nava
Jan 15, 2014, 9:22:20 AM1/15/14
to ansible...@googlegroups.com
Hi,
I am having problems when I use the template module over a ZFS filesystem (in NAS4Free) with NFS mounted with a selinux context for Apache.
Here is all the information:On my research, I guess the problem is the next operation,https://github.com/ansible/ansible/blob/ca112f64a68afef63669b5145ae92d11136ed39d/lib/ansible/module_utils/basic.py#L364which is dropping the next error: [Errno 95] Operation not supportedMaybe there is a problem with SELinux and ZFS, but this is caused because the cur_context != new_context, as you can see in the debug https://gist.github.com/Pablohn26/8434558#file-invalid-selinux-context-L33That is, the problem is when ansible tries to get the context (not sure if it gets that from the command ).I do not know why the "input_was" and "new_context" in the debug output have a "default_t" selinux type when I have passed the context that I want as a parameter and selinux is disabled in the host running ansible.Maybe the variables try to be self explanatory, but I do not get the difference between "cur_context" and "secontext".Is it a bug? or I did something wrong.Cheers
Michael DeHaan
Jan 15, 2014, 9:27:31 AM1/15/14
to ansible...@googlegroups.com
Small favor -- when posting to the list, please include most of the problem when posting to the actual list.
This saves clicking over to the gist, but also makes Google Search work.
Right now I'm having to toggle this between two seperate tabs and the gist viewer doesn't wrap lines, nor does this email.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Pablo Hinojosa Nava
Jan 15, 2014, 9:43:37 AM1/15/14
to ansible...@googlegroups.com
Sorry, last time I had to put in a gist and I supposed it was the way to do it.
Well, I start again:
Well, I start again:
I am having problems when I use the template module over a ZFS filesystem (in NAS4Free) with NFS mounted with a selinux context for Apache.
The command is the next: - name: Base Files - template /cluster/default/apache/created/index.html.j2 template: src=cluster/default/apache/created/index.html.j2 dest=/cluster/default/apache/created/index.html owner=apache group=apache mode=0644 but I have also used to set the selinux context: - name: Base Files - template /cluster/default/apache/created/index.html.j2 template: src=cluster/default/apache/created/index.html.j2 dest=/cluster/default/apache/created/index.html owner=apache group=apache mode=0644 selevel="s0" serole="object_r" seuser="system_u" setype="httpd_sys_content_t" The context and content of the folder is the next: [root@cp-dev02 apache]# ls -laZ created/ drwxr-xr-x. 80 80 system_u:object_r:httpd_sys_content_t:s0 . drwxr-xr-x. 80 80 system_u:object_r:httpd_sys_content_t:s0 .. -rw-------. root 80 system_u:object_r:httpd_sys_content_t:s0 .index.html.15770.1389707624.44 -rw-------. root 80 system_u:object_r:httpd_sys_content_t:s0 .index.html.16057.1389711860.52 (... more hidden files of each try...) The mount is the next:cat /etc/fstab: 10.199.3.26:/mnt/tank/cluster/default /cluster/default nfs defaults,nolock,noatime,nodiratime,actimeo=3,context=system_u:object_r:httpd_sys_content_t:s0 0 0 And the task is: TASK: [control | Base Files - template /cluster/default/apache/created/index.html.j2] *** <10.199.3.26> ESTABLISH CONNECTION FOR USER: root <10.199.3.26> EXEC ['ssh', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/home/pablo/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=root', '-o', 'ConnectTimeout=10', '10.199.3.26', "/bin/sh -c 'mkdir -p $HOME/.ansible/tmp/ansible-tmp-1389782629.68-141511421134203 && echo $HOME/.ansible/tmp/ansible-tmp-1389782629.68-141511421134203'"] <10.199.3.26> EXEC ['ssh', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/home/pablo/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=root', '-o', 'ConnectTimeout=10', '10.199.3.26', u'/bin/sh -c \'rc=0; [ -r "/cluster/default/apache/created/index.html" ] || rc=2; [ -f "/cluster/default/apache/created/index.html" ] || rc=1; [ -d "/cluster/default/apache/created/index.html" ] && rc=3; (/usr/bin/md5sum /cluster/default/apache/created/index.html 2>/dev/null) || (/sbin/md5sum -q /cluster/default/apache/created/index.html 2>/dev/null) || (/usr/bin/digest -a md5 /cluster/default/apache/created/index.html 2>/dev/null) || (/sbin/md5 -q /cluster/default/apache/created/index.html 2>/dev/null) || (/usr/bin/md5 -n /cluster/default/apache/created/index.html 2>/dev/null) || (/bin/md5 -q /cluster/default/apache/created/index.html 2>/dev/null) || (/usr/bin/csum -h MD5 /cluster/default/apache/created/index.html 2>/dev/null) || (echo "${rc} /cluster/default/apache/created/index.html")\''] <10.199.3.26> PUT /tmp/tmpDrpzWD TO /root/.ansible/tmp/ansible-tmp-1389782629.68-141511421134203/source <10.199.3.26> PUT /tmp/tmpG6Gy6a TO /root/.ansible/tmp/ansible-tmp-1389782629.68-141511421134203/copy <10.199.3.26> EXEC ['ssh', '-tt', '-vvv', '-o', 'ControlMaster=auto', '-o', 'ControlPersist=60s', '-o', 'ControlPath=/home/pablo/.ansible/cp/ansible-ssh-%h-%p-%r', '-o', 'Port=22', '-o', 'KbdInteractiveAuthentication=no', '-o', 'PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey', '-o', 'PasswordAuthentication=no', '-o', 'User=root', '-o', 'ConnectTimeout=10', '10.199.3.26', "/bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1389782629.68-141511421134203/copy; rm -rf /root/.ansible/tmp/ansible-tmp-1389782629.68-141511421134203/ >/dev/null 2>&1'"] failed: [10.199.3.26] => {"cur_context": ["system_u", "object_r", "httpd_sys_content_t", "s0"], "failed": true, "gid": 80, "group": "80", "input_was": ["system_u", "object_r", "default_t", "s0"], "item": "", "mode": "0600", "new_context": ["system_u", "object_r", "default_t", "s0"], "owner": "root", "path": "/cluster/default/apache/created/.index.html.16728.1389782630.08", "secontext": "system_u:object_r:httpd_sys_content_t:s0", "size": 827, "state": "file", "uid": 0} msg: invalid selinux context FATAL: all hosts have already failed -- aborting The environment is: -ansible-playbook --version: ansible-playbook 1.5 -yum info libselinux-python: installed -running ansible from: Fedora Core 19, 3.12.6-200.fc19.x86_64 -running ansible over: CentOS 6, 2.6.32-431.3.1.el6.x86_64 -python --version: Python 2.7.5
And the error is: msg: invalid selinux context
On my beginner research, I guess the problem is the next operation,https://github.com/ansible/ansible/blob/ca112f64a68afef63669b5145ae92d11136ed39d/lib/ansible/module_utils/basic.py#L364
which is dropping the next error: [Errno 95] Operation not supportedMaybe there is a problem with SELinux and ZFS, but this is caused because the cur_context != new_context, as you can see in the debug https://gist.github.com/Pablohn26/8434558#file-invalid-selinux-context-L33That is, the problem is when ansible tries to get the context (not sure if it gets that from the command ).I do not know why the "input_was" and "new_context" in the debug output have a "default_t" selinux type when I have passed the context that I want as a parameter and selinux is disabled in the host running ansible.Maybe the variables try to be self explanatory, but I do not get the difference between "cur_context" and "secontext".
Is it a bug? or I did something wrong, or not possible for now. If I make a template over /tmp (not mounted) and then copy with cp command from /tmp to the folder that I want, it works and it conserves the context and permission.Cheers and sorry for the bad explanation.
Pablo Hinojosa Nava
Jan 15, 2014, 9:49:24 AM1/15/14
to ansible...@googlegroups.com
Sorry again for the format. I wrote that inside https://groups.google.com/forum/#!topic/ansible-project/ZvnOAqYvOVk and there characters are not so different. I have just read it on Gmail and the change of font sucks.
Michael DeHaan
Jan 15, 2014, 10:27:52 AM1/15/14
to ansible...@googlegroups.com
Not a problem, gist can be good for when there are multiple files, I just have a limited time to read the lists so it's hard to find a few extra minutes to mentally merge two separate pages of context together :)
I'll leave someone else to dig into the SELinux/ZFS crossover question for now.
If you don't find any resolution, I'd probably recommend filing a bug ticket also.
Pablo Hinojosa Nava
Jan 15, 2014, 12:33:41 PM1/15/14
to ansible...@googlegroups.com
Hi again,
I have opened a bug ticket here https://github.com/ansible/ansible/issues/5632
We continue there :)
Thanks
Reply all
Reply to author
Forward
0 new messages