Copy module issues with SELinux on NFS

Melissa_Tan · July 22, 2014, 6:35am

Has anyone been able to resolve an SELinux issue when using the copy module when writing to an NFS mount?

I tried specifying the SE options to force it, but that doesn’t appear to work. My /tmp is local disk where Ansible first uploads the file, but the final destination /u01/app/oracle/product/fmw/wl_server_10.3/server/lib is on an NFS mount (hosted on Netapp). This issue only comes up on NFS. Using the copy module on a destination that is local disk like /home/applmgr has no issues.

I am thinking my work around is going to have to be issuing a move command after uploading the file to a path that is on the local file system. I am using Ansible 1.5.5.

name: Install JKS for SSL
copy: src={{ item.source }} dest={{ item.destination }} owner=applmgr group=oinstall mode=0644 backup=yes seuser=_default serole=_default setype_default
with_items:
{ source: ‘files/CAtrust.jks’, destination: ‘/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks’ }
sudo_user: applmgr

TASK: [Install JKS for SSL] ***************************************************
ESTABLISH CONNECTION FOR USER: systems on PORT 22 TO stg-intmon-app-02
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=hyfpcveiujdsjplloxksrkpnccgbctjl] password: " -u applmgr /bin/sh -c '”’“‘echo SUDO-SUCCESS-hyfpcveiujdsjplloxksrkpnccgbctjl; rc=0; [ -r “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks” ] || rc=2; [ -f “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks” ] || rc=1; [ -d “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks” ] && echo 3 && exit 0; (/usr/bin/md5sum /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/sbin/md5sum -q /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/usr/bin/digest -a md5 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/sbin/md5 -q /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/usr/bin/md5 -n /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/bin/md5 -q /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/usr/bin/csum -h MD5 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/bin/csum -h MD5 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (echo “${rc} /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks”)’”‘"’’
EXEC /bin/sh -c ‘mkdir -p /tmp/ansible-tmp-1406010170.17-83664497534334 && chmod a+rx /tmp/ansible-tmp-1406010170.17-83664497534334 && echo /tmp/ansible-tmp-1406010170.17-83664497534334’
PUT /opt/playbook/intmon/roles/weblogic/tasks/files/CAtrust.jks TO /tmp/ansible-tmp-1406010170.17-83664497534334/source
EXEC /bin/sh -c ‘chmod a+r /tmp/ansible-tmp-1406010170.17-83664497534334/source’
PUT /tmp/tmpTUjBR9 TO /tmp/ansible-tmp-1406010170.17-83664497534334/copy
EXEC /bin/sh -c ‘chmod a+r /tmp/ansible-tmp-1406010170.17-83664497534334/copy’
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=nyamsxiowxjuicxewlbnfaojqzneyfhj] password: " -u applmgr /bin/sh -c '”’“‘echo SUDO-SUCCESS-nyamsxiowxjuicxewlbnfaojqzneyfhj; /usr/bin/python /tmp/ansible-tmp-1406010170.17-83664497534334/copy’”‘"’’
EXEC /bin/sh -c ‘rm -rf /tmp/ansible-tmp-1406010170.17-83664497534334/ >/dev/null 2>&1’
failed: [stg-intmon-app-02] => (item={‘source’: ‘files/CAtrust.jks’, ‘destination’: ‘/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks’}) => {“cur_context”: [“system_u”, “object_r”, “nfs_t”, “s0”], “failed”: true, “gid”: 501, “group”: “oinstall”, “input_was”: [“system_u”, “object_r”, “default_t”, “s0”], “item”: {“destination”: “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks”, “source”: “files/CAtrust.jks”}, “md5sum”: “6927b8279d5265ff0c97a9efee474ee6”, “mode”: “0664”, “new_context”: [“system_u”, “object_r”, “default_t”, “s0”], “owner”: “applmgr”, “path”: “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/.CAtrust.jks.4439.1406010170.72”, “secontext”: “system_u:object_r:nfs_t:s0”, “size”: 15070, “state”: “file”, “uid”: 503}
msg: invalid selinux context

FATAL: all hosts have already failed – aborting

[root@stg-intmon-app-02 tmp]# ls -lZ /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/*.jks
-rwxr-x—. applmgr oinstall system_u:object_r:nfs_t:s0 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/DemoIdentity.jks
-rwxr-x—. applmgr oinstall system_u:object_r:nfs_t:s0 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/DemoTrust.jks

But this is OK when not on NFS

name: Upload Weblogic silent install config
copy: src=files/standard_silent_wls_java6u45.xml dest=/home/applmgr/standard_silent_wls_java6u45.xml owner=applmgr group=oinstall mode=0644 backup=no
sudo_user: applmgr

TASK: [Upload Weblogic silent install config] *********************************
ESTABLISH CONNECTION FOR USER: systems on PORT 22 TO stg-intmon-app-02
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=prjkakodhdaeiuduuzbbnbanwvumzjyc] password: " -u applmgr /bin/sh -c '”’“‘echo SUDO-SUCCESS-prjkakodhdaeiuduuzbbnbanwvumzjyc; rc=0; [ -r “/home/applmgr/standard_silent_wls_java6u45.xml” ] || rc=2; [ -f “/home/applmgr/standard_silent_wls_java6u45.xml” ] || rc=1; [ -d “/home/applmgr/standard_silent_wls_java6u45.xml” ] && echo 3 && exit 0; (/usr/bin/md5sum /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/sbin/md5sum -q /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/usr/bin/digest -a md5 /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/sbin/md5 -q /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/usr/bin/md5 -n /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/bin/md5 -q /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/usr/bin/csum -h MD5 /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (/bin/csum -h MD5 /home/applmgr/standard_silent_wls_java6u45.xml 2>/dev/null) || (echo “${rc} /home/applmgr/standard_silent_wls_java6u45.xml”)’”‘"’’
EXEC /bin/sh -c ‘mkdir -p /tmp/ansible-tmp-1406009753.63-205073731489156 && chmod a+rx /tmp/ansible-tmp-1406009753.63-205073731489156 && echo /tmp/ansible-tmp-1406009753.63-205073731489156’
PUT /opt/playbook/intmon/roles/weblogic/tasks/files/standard_silent_wls_java6u45.xml TO /tmp/ansible-tmp-1406009753.63-205073731489156/source
EXEC /bin/sh -c ‘chmod a+r /tmp/ansible-tmp-1406009753.63-205073731489156/source’
PUT /tmp/tmpjajnpT TO /tmp/ansible-tmp-1406009753.63-205073731489156/copy
EXEC /bin/sh -c ‘chmod a+r /tmp/ansible-tmp-1406009753.63-205073731489156/copy’
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=zjfkqcclaxexsimgzzuwwintokanbidr] password: " -u applmgr /bin/sh -c '”’“‘echo SUDO-SUCCESS-zjfkqcclaxexsimgzzuwwintokanbidr; /usr/bin/python /tmp/ansible-tmp-1406009753.63-205073731489156/copy’”‘"’’
EXEC /bin/sh -c ‘rm -rf /tmp/ansible-tmp-1406009753.63-205073731489156/ >/dev/null 2>&1’
changed: [stg-intmon-app-02] => {“changed”: true, “dest”: “/home/applmgr/standard_silent_wls_java6u45.xml”, “gid”: 501, “group”: “oinstall”, “md5sum”: “1acef40ba022448b0f61b6b82384c96e”, “mode”: “0644”, “owner”: “applmgr”, “secontext”: “unconfined_u:object_r:user_home_t:s0”, “size”: 4059, “src”: “/tmp/ansible-tmp-1406009753.63-205073731489156/source”, “state”: “file”, “uid”: 503}

[root@stg-intmon-app-02 applmgr]# ls -lZ /home/applmgr/*.xml
-rw-r–r–. applmgr oinstall unconfined_u:object_r:user_home_t:s0 /home/applmgr/standard_silent_wls_java6u45.xml

Michael_DeHaan1 · July 22, 2014, 12:09pm

First off, please don’t run 1.5.5, the current version of Ansible is 1.6.7, and this contains security fixes which you most definitely want applied.

if you still see issues there, let us know.

I’d like to see the command from your playbook line and both the expected SELinux state and the desired SELinux state, or what you think the above problem is.

I am unclear in " tried specifying the SE options to force it, but that doesn’t appear to work." what “doesn’t work” means, in other words.

I’m of course not saying there is a problem, but this helps me understand more what you are looking for.

Thanks!

Melissa_Tan · July 22, 2014, 9:13pm

I’ve updated to 1.6.6 now because that’s what available in the yum EPEL repos. When 1.6.7 or higher is available, I can upgrade that package. Most things on our systems coming through our channel to RedHat Network or a user managed channel.

This is really weird now there is no problem now. Maybe there was something cached in /tmp from previous playbook runs when I did not specify seuser=system_u serole=object_r setype=nfs_t in the tasks or simply because I have now updated ansible to version 1.6.6.

I believe the previous problem is that the module is trying to set the SELinux context to be default_t. If I run the command on the server:

[root@stg-intmon-app-02 lib]# chcon -t default_t /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks
chcon: failed to change context of /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks' to system_u:object_r:default_t:s0’: Operation not supported
[root@stg-intmon-app-02 lib]# ls -lZ /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks
-rw-r–r–. applmgr oinstall system_u:object_r:nfs_t:s0 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks

TASK: [Install JKS for SSL] ***************************************************
ESTABLISH CONNECTION FOR USER: systems on PORT 22 TO stg-intmon-app-02
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=lswacpkpjvajuonoykzhsynbeketkhzp] password: " -u applmgr /bin/sh -c '”’“‘echo SUDO-SUCCESS-lswacpkpjvajuonoykzhsynbeketkhzp; rc=0; [ -r “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks” ] || rc=2; [ -f “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks” ] || rc=1; [ -d “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks” ] && echo 3 && exit 0; (/usr/bin/md5sum /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/sbin/md5sum -q /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/usr/bin/digest -a md5 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/sbin/md5 -q /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/usr/bin/md5 -n /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/bin/md5 -q /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/usr/bin/csum -h MD5 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (/bin/csum -h MD5 /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks 2>/dev/null) || (echo “${rc} /u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks”)’”‘"’’
EXEC /bin/sh -c ‘mkdir -p /tmp/ansible-tmp-1406062803.27-36447185215066 && chmod a+rx /tmp/ansible-tmp-1406062803.27-36447185215066 && echo /tmp/ansible-tmp-1406062803.27-36447185215066’
PUT /opt/playbook/intmon/roles/weblogic/tasks/files/CAtrust.jks TO /tmp/ansible-tmp-1406062803.27-36447185215066/source
EXEC /bin/sh -c ‘chmod a+r /tmp/ansible-tmp-1406062803.27-36447185215066/source’
PUT /tmp/tmpQ6uefX TO /tmp/ansible-tmp-1406062803.27-36447185215066/copy
EXEC /bin/sh -c ‘chmod a+r /tmp/ansible-tmp-1406062803.27-36447185215066/copy’
EXEC /bin/sh -c ‘sudo -k && sudo -H -S -p “[sudo via ansible, key=pdborrdasyvrjoyqdfyshjewqfqpnsqr] password: " -u applmgr /bin/sh -c '”’“‘echo SUDO-SUCCESS-pdborrdasyvrjoyqdfyshjewqfqpnsqr; LC_CTYPE=C LANG=C /usr/bin/python /tmp/ansible-tmp-1406062803.27-36447185215066/copy’”‘"’’
EXEC /bin/sh -c ‘rm -rf /tmp/ansible-tmp-1406062803.27-36447185215066/ >/dev/null 2>&1’
changed: [stg-intmon-app-02] => (item={‘source’: ‘files/CAtrust.jks’, ‘destination’: ‘/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks’}) => {“changed”: true, “dest”: “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks”, “gid”: 501, “group”: “oinstall”, “item”: {“destination”: “/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks”, “source”: “files/CAtrust.jks”}, “md5sum”: “6927b8279d5265ff0c97a9efee474ee6”, “mode”: “0644”, “owner”: “applmgr”, “secontext”: “system_u:object_r:nfs_t:s0”, “size”: 15070, “src”: “/tmp/ansible-tmp-1406062803.27-36447185215066/source”, “state”: “file”, “uid”: 503}

The Ansible task is:

name: Install JKS for SSL
copy: src={{ item.source }} dest={{ item.destination }} owner=applmgr group=oinstall mode=0644 backup=yes seuser=system_u serole=object_r setype=nfs_t
with_items:
{ source: ‘files/CAtrust.jks’, destination: ‘/u01/app/oracle/product/fmw/wlserver_10.3/server/lib/CAtrust.jks’ }
sudo_user: applmgr

Topic		Replies	Views
Ansible "copy" module not working through Playbook Ansible Project	3	16	August 10, 2013
How to copy rpm file from local to remote if selinux is enabled Get Help awx , collections , playbook , ansible-core	3	474	April 1, 2024
Copy module not working with sudo or su Ansible Project	1	1	July 9, 2014
Problems with copy module Ansible Project	3	2	November 6, 2013
issue with copy module Ansible Project	6	7	June 13, 2013

Copy module issues with SELinux on NFS

Related topics