Ansible and SELinux Issues

[Ryan P]

Hi all,

My Ansible server has lost the ability to login to any of my hosts (itself included) and I am hoping others have had a similar issue.

The server in question is a RHEL7 server that is required to be configured according to the DISA STIG. In particular, after implementing RHEL-07-020023 - which requires administrative groups in sudoers to have the sysadm_r and sysadm_t role applied, Ansible completely loses its ability to log into the hosts. The error is as follows:

Permission denied:

unix_listener: cannot bind to path: /root/.ansible/cp/<random string of characters>

When switching back to unconfined_r and unconfined_t, Ansible works as expected. 

Unfortunately I'm not able to dispute with my security department as to why the sysadm context is a just a drunken version of the unconfined context, so if anyone has any suggestions I would be extremely grateful. 

- Ryan P

[Dan Linder]

In my environment, I found that we had to add the “remote_tmp” variable and make it unique per user.  I think you’re running into the same thing if you look at the error message from that point of view:

Permission denied:

unix_listener: cannot bind to path: /root/.ansible/cp/<random string of characters>

 

If it’s the same issue I experienced, adding this to my user (or service account) “.ansible.cfg” file helped:

[defaults]

remote_tmp = /tmp/ansible.${USER}

And yes, that is a literal "${USER}" in the path - when the remote machine sets the variable it is expanded to the user account that Ansible connected as.

Dan