Bug 2087282

Summary: Getting "can't open file" for ipadnszone.py module when using fapolicyd
Product: Red Hat Enterprise Linux 9 Reporter: Mike Ralph <mralph>
Component: fapolicydAssignee: Radovan Sroka <rsroka>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: dapospis, twoerner
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-16 14:29:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Ralph 2022-05-17 18:54:50 UTC 
Description of problem:
  When attempting to use the ipadnszone module on a RHEL 9.0 server that has fapolicyd running I am receiving:

module_stdout": "/usr/bin/python3: can't open file '/home/<user>/.ansible/tmp/ansible-tmp-1652812850.798601-56968-125412819555844/AnsiballZ_ipadnszone.py': [Errno 1] Operation not permitted\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 2


Version-Release number of selected component (if applicable):
  RHEL 9.0
  ansible-freeipa-1.7.0-1.fc35
  ansible-core-2.12.5-1.fc35

How reproducible:
  everytime


Steps to Reproduce:
1. install/enable/start fapolicyd
2. attempt to run module against a RHEL 9 server

Actual results:
  fails

Expected results:
  succeeds


Additional info:
  Role I am trying to run, it succeeds on RHEL 7&8:

- name: Allow PTR Sync on forward zone
  ipadnszone:
    ipaadmin_password: "{{ ipaadmin_password }}"
    name: "{{ ipaserver_domain }}"
    allow_sync_ptr: true
    dynamic_update: true
    state: present
- name: Allow PTR Sync on reverse zone
  ipadnszone:
    ipaadmin_password: "{{ ipaadmin_password }}"
    name: "{{ ipaserver_reverse_zones }}"
    allow_sync_ptr: true
    dynamic_update: true
    state: present
Comment 2 Thomas Woerner 2022-05-18 12:13:18 UTC 
Is this issue only happening with ansible-freeipa modules or also with modules from ansible and other projects?
Comment 3 Thomas Woerner 2022-05-19 11:49:17 UTC 
I verified this with a fresh RHEL-9 installation. After enabling fapolicyd I am only able to use Ansible with the root user, but not with the normal user.

This is a know bug: https://bugzilla.redhat.com/show_bug.cgi?id=1903549

Enabling gather_facts, the issue is happening already in

TASK [Gathering Facts] *********************************************************
fatal: [ipaserver..........]: FAILED! => {"ansible_facts": {}, "changed": false, "failed_modules": {"ansible.legacy.setup": {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python3"}, "failed": true, "module_stderr": "Shared connection to ipaserver....... closed.\r\n", "module_stdout": "/usr/bin/python3: can't open file '/home/....../.ansible/tmp/ansible-tmp-1652960237.7173314-113125-237253228314937/AnsiballZ_setup.py': [Errno 1] Operation not permitted\r\n", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 2}}, "msg": "The following modules failed to execute: ansible.legacy.setup\n"}

This is no ansible-freeipa issue. Assigning to fapolicyd.
Comment 4 Radovan Sroka 2023-01-12 17:05:20 UTC 
(In reply to Thomas Woerner from comment #3)
> I verified this with a fresh RHEL-9 installation. After enabling fapolicyd I
> am only able to use Ansible with the root user, but not with the normal user.
> 
> This is a know bug: https://bugzilla.redhat.com/show_bug.cgi?id=1903549
> 
> Enabling gather_facts, the issue is happening already in
> 
> TASK [Gathering Facts]
> *********************************************************
> fatal: [ipaserver..........]: FAILED! => {"ansible_facts": {}, "changed":
> false, "failed_modules": {"ansible.legacy.setup": {"ansible_facts":
> {"discovered_interpreter_python": "/usr/bin/python3"}, "failed": true,
> "module_stderr": "Shared connection to ipaserver....... closed.\r\n",
> "module_stdout": "/usr/bin/python3: can't open file
> '/home/....../.ansible/tmp/ansible-tmp-1652960237.7173314-113125-
> 237253228314937/AnsiballZ_setup.py': [Errno 1] Operation not permitted\r\n",
> "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 2}},
> "msg": "The following modules failed to execute: ansible.legacy.setup\n"}
> 
> This is no ansible-freeipa issue. Assigning to fapolicyd.

Yes, you are right. The original problem is that fapolicyd does not support non root users for ansible.

There are few possibilities how to allow something like that. E.g. you can add some rule to the rules.d directory.
Comment 6 Radovan Sroka 2023-08-16 14:29:43 UTC 
This bug is going to be migrated.

Contact point for migration questions or issues: rsroka
Guidance for Bugzilla users to test their Jira account or create one if needed:

https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016394
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016694
https://redhat.service-now.com/help?id=kb_article_view&sysparm_article=KB0016774