Search code examples
ansiblefedora-25

How to create a directory with particular SE Linux context on it

Here is what I have:

- name: Create directories that will be used as persistent volumes
  become: yes
  become_method: sudo
  file:
    path: /tmp/pv-{{ item }}
    state: directory
    mode: "g=rwx"
    group: "root"
    selevel: _default
    seuser: _default
    serole: _default
    setype: svirt_sandbox_file_t
  with_items:
    - cassandra
    - services

The two directories are correctly created, group a rights are ok. But the SE Linux context is wrong.

$ ll -dZ /tmp/pv-cassandra
drwxrwxr-x. 2 jkremser root unconfined_u:object_r:user_tmp_t:s0 40 Mar  9 15:19 /tmp/pv-cassandra

This is the part of the debugging output:

ok: [localhost] => (item=cassandra) => {
    "changed": false, 
    "diff": {
        "after": {
            "path": "/tmp/pv-cassandra"
        }, 
        "before": {
            "path": "/tmp/pv-cassandra"
        }
    }, 
    "gid": 0, 
    "group": "root", 
    "invocation": {
        "module_args": {
            "backup": null, 
            "content": null, 
            "delimiter": null, 
            "diff_peek": null, 
            "directory_mode": null, 
            "follow": false, 
            "force": false, 
            "group": "root", 
            "mode": "g=rwx", 
            "original_basename": null, 
            "owner": null, 
            "path": "/tmp/pv-cassandra", 
            "recurse": false, 
            "regexp": null, 
            "remote_src": null, 
            "selevel": "_default", 
            "serole": "_default", 
            "setype": "svirt_sandbox_file_t", 
            "seuser": "_default", 
            "src": null, 
            "state": "directory", 
            "unsafe_writes": null, 
            "validate": null
        }, 
        "module_name": "file"
    }, 
    "item": "cassandra", 
    "mode": "0775", 
    "owner": "root", 
    "path": "/tmp/pv-cassandra", 
    "size": 80, 
    "state": "directory", 
    "uid": 0
}

What am I doing wrong? My OS is Fedora 25.

Solution

  • If I use the copy module, instead of the file, that has almost the same parameters, it throws this error:

    Aborting, target uses selinux but python bindings (libselinux-python) aren't installed

    After installing the libselinux-python package, it works! So it looks like the file module silently swallows the error and does what it can do :( I can't depend on the fact that user has the libselinux-python package installed.

    I'll probably call the chcon myself as a shell command or add the package as a prerequisite:

    - name: Install the libselinux-python package
  package: 
    name: libselinux-python
    state: present