semanage fcontext in ansible?
1,999 views
Skip to first unread message
Dmitry Makovey
Nov 4, 2014, 10:49:35 AM11/4/14
to ansibl...@googlegroups.com
Hi,
I've got a playbook that needs to set some SELinux labels etc. And I've come up with two questions:
1. So far I've used direct invocation of "semanage fcontext -a -t logwatch_cache_t "/var/lib/logwatch(/.*)?". I have noticed that "file" module exposes some of the selinux labeling elements, however I'm having a rough time imagining how would I implement above invocation using file module...
file: dest="/var/lib/logwatch(/.*)?" setype=logwatch_cache_t
2. when using "file: ... setype" - it seems nothing is stored in /etc/selinux/targeted/contexts/files/file_contexts.local afterwards. Thus shall I assume it's more of a "chcon" front then "semanage fcontext" ?
Michael DeHaan
Nov 4, 2014, 4:21:25 PM11/4/14
to Dmitry Makovey, ansibl...@googlegroups.com
(1) Yeah it's not intended to apply wildcards. Logic here would be correct. Maybe could also just install a policy as an alternative?
(2) Yes:
I'm open to possible additions.
--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-deve...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Dag Wieers
May 13, 2016, 10:45:29 AM5/13/16
to Ansible Development
On Tuesday, 4 November 2014 16:49:35 UTC+1, Dmitry Makovey wrote:
I've got a playbook that needs to set some SELinux labels etc. And I've come up with two questions:1. So far I've used direct invocation of "semanage fcontext -a -t logwatch_cache_t "/var/lib/logwatch(/.*)?". I have noticed that "file" module exposes some of the selinux labeling elements, however I'm having a rough time imagining how would I implement above invocation using file module...file: dest="/var/lib/logwatch(/.*)?" setype=logwatch_cache_t
I wrote a new module "sefcontext" to do exactly what "semanage fcontext" is intended for:
sefcontext:
target: '/var/lib/logwatch(/.*)?'
setype: logwatch_cache_t
state: present
It is fully idempotent, and supports check-mode and diff-mode.
It is constructed conform the already existing seport module.
The pull-request is available from: https://github.com/ansible/ansible-modules-extras/pull/2221
Reply all
Reply to author
Forward
0 new messages