We will be making changes to nearly a hundred client machines using ansible. We've used ansible before, albeit we're still pretty new at it, but have a pretty good handle on it and have done before what we want to do now, which is edit a config file. The new target machines have selinux enabled and enforcing. As the documentation tells us, we need to deploy selinux-python to each of the targets in order to use copy, replace or template functions in our playbooks for those machines. This will have to be done by hand. We're having a 'devils advocate' scrum before we go to the client and tell them what we will be doing, and some questions have come up that I do not yet have the knowledge/experience to answer.
The docs tell me ansible works by pushing ansible modules to the target machine and executing them over ssh provided your security certs have been installed (ours have). I presume that these modules are python scripts. Are they specifically identified as ansible scripts to the target? I should think not, the target really ought not care as I understand it. But what does selinux-python do? Why won't copy, replace or template work without it? And does it make a permanent change? Is it ansible specific?
I expect I'm not asking the questions well, but the client will almost certainly ask what the python bindings allow that did not exist before and does this create a potential security issue? If we can tell them that it's ansible and only ansible specific and explain even superficially how, then we might be allowed to use it. If it is not ansible specific and allows anybody to come in and execute any python script, then we have a harder road ahead of us that may involve scrapping ansible for use with this client and going into each machine and hand editing files.
regards, Richard