I am using Ansible 2.2 and wanted to implement a step to set a selinux context of a file using the sefcontext module. After some work to get it to work on RHEL 7; it is successfully writing to the local policy file the new rules I defined however the files are still not getting the updates (doing ls -Z still shows the old context on the file). Subsequently doing a restorecon on the files would force restoration of the policy and hence solve the issue but I was wondering if this should be somehow be included as functionality of the sefcontext module. Also I see that the module has a reload option which by default I’m leaving to True what is the purpose of this option exactly?
I can definitely fix the issue by explicitly running the restorecon command through ansible, but I would like to understand if there is a better way which I’m missing.
The sefcontext module is roughly the functionality that 'semanage fcontext' provides you. It allows you to add SELinux file context mappings to the internal database.
Now, the module is not intended to change file contexts based on the mapping, just like 'semanage fcontext' does not do. (See man semanage)
As you said, you can do this with restorecon, or the file module, or simply making sure that you first create the required file contexts before you start using the locations, in which case the SELinux file contexts will be applied automatically to new files.
The reload option is there to reload the SELinux policy after making changes. And it is by default turned on because that's what most people would expect. (It makes the changes active immediately to be used)
PS If the documentation was confusing, let me know what you would change to it to make things more obvious. I am all for improving things !
Thanks sir; that makes sense. It appears my question was more due to my limited experience in selinux rather than poor documentation so I wouldn’t suggest a change in documentation for now.
I didnt get this reply earlier; I’ll get back to you with some more expanded documentation and if it pleases you we can merge it. In my mind more then anything I would add a couple of examples/use-cases; but I’ll let you know
