Bug 1003630
Summary: | ansible cannot be run with confined user and ssh since it create control socket in homedir | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michael S. <misc> |
Component: | selinux-policy-targeted | Assignee: | Miroslav Grepl <mgrepl> |
Status: | CLOSED ERRATA | QA Contact: | Ben Levenson <benl> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 19 | CC: | dwalsh, plautrba |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | selinux-policy-3.12.1-74.2.fc19 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-09-12 01:54:04 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michael S.
2013-09-02 14:12:13 UTC
Would it make sense to label it ssh_home_t? chcon -R -t ssh_home_t ~/.ansible I doubt, since there is more than ssh socket there. For example the default remote temporary directory is in ~/.ansible/tmp and i suspect that upstream may start to add more stuff there. Well should .ansible be under ~/.config Or can we get ansible to create the socket in ~/.ssh/ Or can we label ~/.ansible/cp as ssh_home_t. I vote for the 3rd option, no need to modify upstream configuration. .ansible is not configuration, there is ~/.ansible.cfg for that. It could be under .local, but I suspect they want to support platform that predate the convention. I can ask to upstream to take a look at that bug if you want. 98126e4da70c2cd2a4853197fc43b7adb2d4f863 in git adds a label for ssh_home_t in ansible subdir HOME_DIR/\.ansible/cp/.* -s gen_context(system_u:object_r:ssh_home_t,s0) Also allows ssh_t to create ssh_home_t sock_files in user_home_t directories. back ported. selinux-policy-3.12.1-74.2.fc19 has been submitted as an update for Fedora 19. https://admin.fedoraproject.org/updates/selinux-policy-3.12.1-74.2.fc19 Package selinux-policy-3.12.1-74.2.fc19: * should fix your issue, * was pushed to the Fedora 19 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.12.1-74.2.fc19' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-16231/selinux-policy-3.12.1-74.2.fc19 then log in and leave karma (feedback). selinux-policy-3.12.1-74.2.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |