2

Trying to use Ansible on a CentOS 7 server to make a directory and sync files into it. That part is working. The problem is I get a 403 Forbidden error when I try to access them from the browser. I understand that this is a fcontext problem with SELinux preventing Apache from accessing the files. I thought I had some Ansible code to handle this, but it is not adding the fcontext. I've manually set the fcontext on the CLI to make it work. If I remove the directory and run Ansible again, then the directory and files will have the right fcontext. Trying not to have to manually set the fcontext when I run this for my production server. Any ideas?

Here's the Ansible code used to set the fcontext and restorecon used.

- name: Allow apache to read
  sefcontext:
    target: "{{ dest_dir }}(/.*)?"
    setype: httpd_sys_content_t
    state: present

- name: Run restore context to reload selinux
  shell: restorecon -iRv "{{ dest_dir }}"
devNoise
  • 133
  • 5
  • While reviewing the the module info on the [Ansible documentation](https://docs.ansible.com/ansible/latest/modules/sefcontext_module.html) page, the examples show a very similar use case that has a slightly different syntax for the `restorecon` command to apply the updated policy to the filesystem. Have you tried your play with the second task using the syntax from the example? `command: restorecon -irv "{{ dest_dir }}"` I'll dig some more, but this might be a quick fix? – 0xSheepdog Apr 05 '19 at 15:21
  • @0xSheepdog `-r` and `-R` are equivalent, so the command here is functionally identical to the one in the example. – larsks Apr 05 '19 at 17:35
  • Do you mean that this play succeeds but the fcontext was not created? Or does the play fail? – Michael Hampton Apr 05 '19 at 18:43
  • @MichaelHampton Those commanda have always been successfull and fcontext is not created. I either get "changed" or "ok". – devNoise Apr 05 '19 at 19:14
  • Ah, forgot the r/R thing. I was also curious if you'd tried the `command` module instead of `shell`. Not sure it would matter. – 0xSheepdog Apr 05 '19 at 21:17
  • 1
    Check the output of `semanage fcontext -l -C` after you ran this playbook, but before you manually added the file context. – Michael Hampton Apr 06 '19 at 00:36

1 Answers1

0

I just stumbled on this issue. By listing the local customizations, I found that I had applied mutliple policies to the same file. You can view local policies with semanage fcontext --list --locallist and then run semanage fcontext -d '/some/location(/.*)?'

man semanage-fcontext for more info.

ThankYee
  • 101
  • 2