selinux issue

62 views
Skip to first unread message

Sergey Glazyrin

unread,
Feb 11, 2024, 6:30:49 PM2/11/24
to Ansible Project
Hello guys
I do use linux on local pc and selinux enabled, though there's no context for the folders/files/etc
And I am getting following issue:
Recursion error when ansible trying to build the json it failed with.
I am getting it when I am trying to create directory using tempfile module, with parameters:
   "invocation": {
       "module_args": {
           "path": "/tmp/",
           "prefix": "buildproject-Bk4mnluds1J6XoC28KyR0QzUgSVVpgSJBxQ7JlWf",
           "state": "directory",
           "suffix": ""
       }
   },
Traceback:
File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 679, in selinux_context
   self.fail_json(path=path, msg='failed to retrieve selinux context')
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1531, in fail_json
   self._return_formatted(kwargs)
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1459, in _return_formatted
   self.add_path_info(kwargs)
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1212, in add_path_info
   kwargs['secontext'] = ':'.join(self.selinux_context(path))
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 679, in selinux_context
   self.fail_json(path=path, msg='failed to retrieve selinux context')
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1531, in fail_json
   self._return_formatted(kwargs)
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1459, in _return_formatted
   self.add_path_info(kwargs)
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1212, in add_path_info
   kwargs['secontext'] = ':'.join(self.selinux_context(path))
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 679, in selinux_context
   self.fail_json(path=path, msg='failed to retrieve selinux context')
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1531, in fail_json
   self._return_formatted(kwargs)
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1459, in _return_formatted
   self.add_path_info(kwargs)
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 1212, in add_path_info
   kwargs['secontext'] = ':'.join(self.selinux_context(path))
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py", line 674, in selinux_context
   ret = selinux.lgetfilecon_raw(to_native(path, errors='surrogate_or_strict'))
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 File "/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/compat/selinux.py", line 95, in lgetfilecon_raw
   rc = _selinux_lib.lgetfilecon_raw(path, byref(con))
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ctypes.ArgumentError: argument 1: RecursionError: maximum recursion depth exceeded
fatal: [127.0.0.1]: FAILED! => {
   "changed": false,
   "invocation": {
       "module_args": {
           "path": "/tmp/",
           "prefix": "buildproject-Bk4mnluds1J6XoC28KyR0QzUgSVVpgSJBxQ7JlWf",
           "state": "directory",
           "suffix": ""
       }
   },
   "msg": "argument 1: RecursionError: maximum recursion depth exceeded"
}

Rilindo Foster

unread,
Feb 11, 2024, 6:36:59 PM2/11/24
to ansible...@googlegroups.com
That is gnarly. 

Can you provide the play code that attempted to perform this operation?

Rilindo

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/67c6896e-8cd1-455b-af11-280f666d2bfbn%40googlegroups.com.

Sergey Glazyrin

unread,
Feb 11, 2024, 6:48:04 PM2/11/24
to Ansible Project
Here it is
ANSIBLE_KEEP_REMOTE_FILES=1 ansible localhost -m tempfile -a "path=/tmp/ prefix=buildproject state=directory" -vvv
And I debugged it, it's not able to get data about selinux context because it's not set, it's triggering OSError with code 61.
and then it's trying to build up json about failure and it's simply get to the recursion....


понеділок, 12 лютого 2024 р. о 00:36:59 UTC+1 Rilindo Foster пише:

Rilindo Foster

unread,
Feb 11, 2024, 7:58:00 PM2/11/24
to ansible...@googlegroups.com
I am not able to reproduce the error, at least with ansible core 2.15.3:

[rilindo@podman01 ~]$ getenforce 

Enforcing

[rilindo@podman01 ~]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible localhost -m tempfile -a "path=/tmp/ prefix=buildproject state=directory" -vvv

ansible [core 2.15.3]

  config file = /etc/ansible/ansible.cfg

  configured module search path = ['/home/rilindo/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/lib/python3.11/site-packages/ansible

  ansible collection location = /home/rilindo/.ansible/collections:/usr/share/ansible/collections

  executable location = /usr/bin/ansible

  python version = 3.11.5 (main, Oct 25 2023, 16:19:59) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.11)

  jinja version = 3.1.2

  libyaml = True

Using /etc/ansible/ansible.cfg as config file

host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method

script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method

auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method

Parsed /etc/ansible/hosts inventory source with ini plugin

Skipping callback 'default', as we already have a stdout callback.

Skipping callback 'minimal', as we already have a stdout callback.

Skipping callback 'oneline', as we already have a stdout callback.

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: rilindo

<127.0.0.1> EXEC /bin/sh -c 'echo ~rilindo && sleep 0'

<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/rilindo/.ansible/tmp `"&& mkdir "` echo /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553 `" && echo ansible-tmp-1707699264.9183002-64356-88319939050553="` echo /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553 `" ) && sleep 0'

Using module file /usr/lib/python3.11/site-packages/ansible/modules/tempfile.py

<127.0.0.1> PUT /home/rilindo/.ansible/tmp/ansible-local-62330a2uwxtzt/tmp001liao1 TO /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/AnsiballZ_tempfile.py

<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/ /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/AnsiballZ_tempfile.py && sleep 0'

<127.0.0.1> EXEC /bin/sh -c '/usr/bin/python3.11 /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/AnsiballZ_tempfile.py && sleep 0'

localhost | CHANGED => {

    "changed": true,

    "gid": 1000,

    "group": "rilindo",

    "invocation": {

        "module_args": {

            "path": "/tmp/",

            "prefix": "buildproject",

            "state": "directory",

            "suffix": ""

        }

    },

    "mode": "0700",

    "owner": "rilindo",

    "path": "/tmp/buildproject_zi01c58",

    "secontext": "unconfined_u:object_r:user_tmp_t:s0",

    "size": 6,

    "state": "directory",

    "uid": 1000

}


Perhaps it is something that is unique to your local system. Have you been able to reproduce in any other system?

- Rilindo

Sergey Glazyrin

unread,
Feb 12, 2024, 1:44:06 AM2/12/24
to Ansible Project
No, it works in another system. The problem is that I don't have selinux context on the system..... I don't remember that I set it up explicitly but maybe something changed after I updated gentoo

понеділок, 12 лютого 2024 р. о 01:58:00 UTC+1 Rilindo Foster пише:

Sergey Glazyrin

unread,
Feb 12, 2024, 1:44:44 AM2/12/24
to Ansible Project
selinux context in the system -> selinux context for this path

понеділок, 12 лютого 2024 р. о 07:44:06 UTC+1 Sergey Glazyrin пише:
Reply all
Reply to author
Forward
0 new messages