Assistance with sefcontext module
102 views
Skip to first unread message
William Muriithi
Sep 7, 2017, 6:10:04 PM9/7/17
to ansible...@googlegroups.com
Afternoon,
I am attempting to convert a task that currently use shell to use
sefcontext module and its not working as documented. Have anyone
previously used this module successfully? Below is my intention and
observation.
The current working solution
chcon -R -t httpd_sys_rw_content_t {{svn_root}}/projects
The task that are currently not working
- name: Set http security context
sefcontext: setype=httpd_sys_content_t
target='{{svn_root}}/projects(/.*)?' state=present
tags:
- selinux_svn
- name: set context that enables commits over http
sefcontext: setype=httpd_sys_rw_content_t
target='{{svn_root}}/projects(/.*)?' state=present
tags:
- selinux_svn
The result of running above task in verbose mode
TASK [svn : Set http security context]
***************************************************************************************************************************************************************************
task path: /etc/ansible/roles/svn/tasks/main.yml:54
changed: [palladium.eng.example.com] => {
"changed": true,
"ftype": "a",
"invocation": {
"module_args": {
"ftype": "a",
"reload": true,
"selevel": null,
"setype": "httpd_sys_content_t",
"seuser": null,
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
},
"serange": "s0",
"setype": "httpd_sys_content_t",
"seuser": "system_u",
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
TASK [svn : set context that enables commits over http]
**********************************************************************************************************************************************************
task path: /etc/ansible/roles/svn/tasks/main.yml:59
onnection to palladium.eng.example.com closed.\r\n')
changed: [palladium.eng.example.com] => {
"changed": true,
"ftype": "a",
"invocation": {
"module_args": {
"ftype": "a",
"reload": true,
"selevel": null,
"setype": "httpd_sys_rw_content_t",
"seuser": null,
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
},
"serange": "s0",
"setype": "httpd_sys_rw_content_t",
"seuser": "system_u",
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
Result when using the sefcontext ansible module
[root@palladium ~]# ls -lZ /var/repos/svn/projects
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 conf
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 dav
drwxr-sr-x. apache apache unconfined_u:object_r:var_t:s0 db
-r--r--r--. apache apache unconfined_u:object_r:var_t:s0 format
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 hooks
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 locks
-rw-r--r--. apache apache unconfined_u:object_r:var_t:s0 README.txt
If I use the shell, it work and the file are labeled as below. (Result
when using operating system tool)
[root@palladium ~]# ls -ltrZ /var/repos/svn/projects
-rw-r--r--. apache apache
unconfined_u:object_r:httpd_sys_rw_content_t:s0 README.txt
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 locks
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 hooks
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 dav
-r--r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 format
drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 db
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 conf
[root@palladium ~]#
What could I be doing wrong? Could this be a bug on the module?
Regards,
William
I am attempting to convert a task that currently use shell to use
sefcontext module and its not working as documented. Have anyone
previously used this module successfully? Below is my intention and
observation.
The current working solution
chcon -R -t httpd_sys_rw_content_t {{svn_root}}/projects
The task that are currently not working
- name: Set http security context
sefcontext: setype=httpd_sys_content_t
target='{{svn_root}}/projects(/.*)?' state=present
tags:
- selinux_svn
- name: set context that enables commits over http
sefcontext: setype=httpd_sys_rw_content_t
target='{{svn_root}}/projects(/.*)?' state=present
tags:
- selinux_svn
The result of running above task in verbose mode
TASK [svn : Set http security context]
***************************************************************************************************************************************************************************
task path: /etc/ansible/roles/svn/tasks/main.yml:54
changed: [palladium.eng.example.com] => {
"changed": true,
"ftype": "a",
"invocation": {
"module_args": {
"ftype": "a",
"reload": true,
"selevel": null,
"setype": "httpd_sys_content_t",
"seuser": null,
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
},
"serange": "s0",
"setype": "httpd_sys_content_t",
"seuser": "system_u",
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
TASK [svn : set context that enables commits over http]
**********************************************************************************************************************************************************
task path: /etc/ansible/roles/svn/tasks/main.yml:59
onnection to palladium.eng.example.com closed.\r\n')
changed: [palladium.eng.example.com] => {
"changed": true,
"ftype": "a",
"invocation": {
"module_args": {
"ftype": "a",
"reload": true,
"selevel": null,
"setype": "httpd_sys_rw_content_t",
"seuser": null,
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
},
"serange": "s0",
"setype": "httpd_sys_rw_content_t",
"seuser": "system_u",
"state": "present",
"target": "/var/repos/svn/projects(/.*)?"
}
Result when using the sefcontext ansible module
[root@palladium ~]# ls -lZ /var/repos/svn/projects
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 conf
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 dav
drwxr-sr-x. apache apache unconfined_u:object_r:var_t:s0 db
-r--r--r--. apache apache unconfined_u:object_r:var_t:s0 format
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 hooks
drwxr-xr-x. apache apache unconfined_u:object_r:var_t:s0 locks
-rw-r--r--. apache apache unconfined_u:object_r:var_t:s0 README.txt
If I use the shell, it work and the file are labeled as below. (Result
when using operating system tool)
[root@palladium ~]# ls -ltrZ /var/repos/svn/projects
-rw-r--r--. apache apache
unconfined_u:object_r:httpd_sys_rw_content_t:s0 README.txt
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 locks
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 hooks
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 dav
-r--r--r--. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 format
drwxr-sr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 db
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 conf
[root@palladium ~]#
What could I be doing wrong? Could this be a bug on the module?
Regards,
William
Reply all
Reply to author
Forward
0 new messages