selinux-python and ansible 'identification'

[richard kappler]

We will be making changes to nearly a hundred client machines using ansible. We've used ansible before, albeit we're still pretty new at it, but have a pretty good handle on it and have done before what we want to do now, which is edit a config file. The new target machines have selinux enabled and enforcing. As the documentation tells us, we need to deploy selinux-python to each of the targets in order to use copy, replace or template functions in our playbooks for those machines. This will have to be done by hand. We're having a 'devils advocate' scrum before we go to the client and tell them what we will be doing, and some questions have come up that I do not yet have the knowledge/experience to answer.

The docs tell me ansible works by pushing ansible modules to the target machine and executing them over ssh provided your security certs have been installed (ours have). I presume that these modules are python scripts. Are they specifically identified as ansible scripts to the target? I should think not, the target really ought not care as I understand it. But what does selinux-python do? Why won't copy, replace or template work without it? And does it make a permanent change? Is it ansible specific? 

I expect I'm not asking the questions well, but the client will almost certainly ask what the python bindings allow that did not exist before and does this create a potential security issue? If we can tell them that it's ansible and only ansible specific and explain even superficially how, then we might be allowed to use it. If it is not ansible specific and allows anybody to come in and execute any python script, then we have a harder road ahead of us that may involve scrapping ansible for use with this client and going into each machine and hand editing files.

regards, Richard

[Brian Coca]

So responding the the main points:

- You should not need to do install selinux-python by hand, you could just use the 'yum' module in a 'boostraping' play (or worst case, 'raw' module).

- The modules shipped with Ansible are all python (version 2), but in general they can be language independent. Even python3 modules should work fine.

- The reason Ansible requires the selinux-python module is that otherwise the template/copy and other file operations will be unable to keep the correct selinux context when they operate on files. We have made sure the standard Ansible modules do this correctly, hence the dependency. Other custom/3rd party modules might not have this dependency, but will probably cause issues by not preserving the selinux context.

----------

Brian Coca

[richard kappler]

I see now that I forgot to add the important comment that these machines do not have internet access. Hence I would need to copy the selinux-python rpm to the target machines, which it would seem that I cannot do until I have that rpm installed. Or am I missing something? I could just scp the file to the targets, then install it with ansible, that would make things a little easier.

[richard kappler]

Thanks to Brian for the reply, it begs a couple more questions, but first let me state my 'new understandings'  based on some sleuthing I did through our testenv logs and ansible core modules code while trying to figure this out. It looks to me like when you first use ansible a .ansible dir is setup in the topmost level dir (~) and within is a tmp directory. I'm surmising that ansible writes the modules it needs to that tmp dir, executes the modules according to the playbook on the ansible host, then deletes them on it's way out the door when the play is finished. Is this correct? It also appears from our logs that any scripts (modules) that are executed during the play (ex: copy.py) are prepended with ansible- (as in ansible-copy.py) hence the target 'knows' its ansible doing whatever it's doing. If this is so, then Brian I have to ask because this makes my life so much easier (and I know that is what you live for ;-)), does the selinux-python binding setup an 'ansible user', or give anything with ansible root privileges or somesuch, is that how the selinux context works?

Thanks for all the help, looking forward to your response.

regards, Richard

[Brian Coca]

So the current yum module can install from an rpm, even if you cannot use the copy module you should be able to :

- shell: scp ​selinux-python.xxx.rpm {{inventory_hostname}:/path/to/temp:

  connection: local

- yum: name=/path/to/temp/selinux-python.xxx.rpm

or if you can publish to an internal webserver:

- yum: name=http:/package_source.local/​selinux-python.xxx.rpm

As for the modules themselves, yes, they do get copied to the target host in a temp dir in the home of the login user, then they get deleted.

selinux-python does NOT give any new privileges to the user, it is just for managing selinux context of files touched by ansible.

----------

Brian Coca

[richard kappler]

Brilliant, I think that gives me everything I need other than to dive deeper into selinux contexts, thanks Brian, 

regards, Richard