如何在其上创建具有特定SE Linux上下文的目录

时间:2017-03-09 14:53:49

标签: ansible fedora-25

这就是我所拥有的:

- name: Create directories that will be used as persistent volumes
  become: yes
  become_method: sudo
  file:
    path: /tmp/pv-{{ item }}
    state: directory
    mode: "g=rwx"
    group: "root"
    selevel: _default
    seuser: _default
    serole: _default
    setype: svirt_sandbox_file_t
  with_items:
    - cassandra
    - services

正确创建了两个目录,组权限正常。但SE Linux背景是错误的。

$ ll -dZ /tmp/pv-cassandra
drwxrwxr-x. 2 jkremser root unconfined_u:object_r:user_tmp_t:s0 40 Mar  9 15:19 /tmp/pv-cassandra

这是调试输出的一部分:

ok: [localhost] => (item=cassandra) => {
    "changed": false, 
    "diff": {
        "after": {
            "path": "/tmp/pv-cassandra"
        }, 
        "before": {
            "path": "/tmp/pv-cassandra"
        }
    }, 
    "gid": 0, 
    "group": "root", 
    "invocation": {
        "module_args": {
            "backup": null, 
            "content": null, 
            "delimiter": null, 
            "diff_peek": null, 
            "directory_mode": null, 
            "follow": false, 
            "force": false, 
            "group": "root", 
            "mode": "g=rwx", 
            "original_basename": null, 
            "owner": null, 
            "path": "/tmp/pv-cassandra", 
            "recurse": false, 
            "regexp": null, 
            "remote_src": null, 
            "selevel": "_default", 
            "serole": "_default", 
            "setype": "svirt_sandbox_file_t", 
            "seuser": "_default", 
            "src": null, 
            "state": "directory", 
            "unsafe_writes": null, 
            "validate": null
        }, 
        "module_name": "file"
    }, 
    "item": "cassandra", 
    "mode": "0775", 
    "owner": "root", 
    "path": "/tmp/pv-cassandra", 
    "size": 80, 
    "state": "directory", 
    "uid": 0
}

我做错了什么?我的操作系统是Fedora 25。

1 个答案:

答案 0 :(得分:0)

如果我使用copy模块而不是file,它具有几乎相同的参数,则会抛出此错误:

Aborting, target uses selinux but python bindings (libselinux-python) aren't installed

安装libselinux-python包后,它可以正常工作!所以看起来file模块默默地吞下错误并做它能做的事情:(我不能依赖于用户安装了libselinux-python包的事实。

我可能会将chcon自己称为shell命令或将包添加为先决条件:

- name: Install the libselinux-python package
  package: 
    name: libselinux-python
    state: present
相关问题
最新问题