selinux issue

Sergey_Glazyrin · February 11, 2024, 11:30pm

Hello guys
I do use linux on local pc and selinux enabled, though there’s no context for the folders/files/etc
And I am getting following issue:
Recursion error when ansible trying to build the json it failed with.
I am getting it when I am trying to create directory using tempfile module, with parameters:
“invocation”: {
“module_args”: {
“path”: “/tmp/”,
“prefix”: “buildproject-Bk4mnluds1J6XoC28KyR0QzUgSVVpgSJBxQ7JlWf”,
“state”: “directory”,
“suffix”: “”
}
},

Traceback:
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 679, in selinux_context

self.fail_json(path=path, msg=‘failed to retrieve selinux context’)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1531, in fail_json
self._return_formatted(kwargs)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1459, in _return_formatted
self.add_path_info(kwargs)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1212, in add_path_info
kwargs[‘secontext’] = ‘:’.join(self.selinux_context(path))
^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 679, in selinux_context
self.fail_json(path=path, msg=‘failed to retrieve selinux context’)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1531, in fail_json
self._return_formatted(kwargs)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1459, in _return_formatted
self.add_path_info(kwargs)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1212, in add_path_info
kwargs[‘secontext’] = ‘:’.join(self.selinux_context(path))
^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 679, in selinux_context
self.fail_json(path=path, msg=‘failed to retrieve selinux context’)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1531, in fail_json
self._return_formatted(kwargs)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1459, in _return_formatted
self.add_path_info(kwargs)
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 1212, in add_path_info
kwargs[‘secontext’] = ‘:’.join(self.selinux_context(path))
^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/basic.py”, line 674, in selinux_context
ret = selinux.lgetfilecon_raw(to_native(path, errors=‘surrogate_or_strict’))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/tmp/ansible_tempfile_payload_qfnjn5co/ansible_tempfile_payload.zip/ansible/module_utils/compat/selinux.py”, line 95, in lgetfilecon_raw
rc = _selinux_lib.lgetfilecon_raw(path, byref(con))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
ctypes.ArgumentError: argument 1: RecursionError: maximum recursion depth exceeded
fatal: [127.0.0.1]: FAILED! => {
“changed”: false,
“invocation”: {
“module_args”: {
“path”: “/tmp/”,
“prefix”: “buildproject-Bk4mnluds1J6XoC28KyR0QzUgSVVpgSJBxQ7JlWf”,
“state”: “directory”,
“suffix”: “”
}
},
“msg”: “argument 1: RecursionError: maximum recursion depth exceeded”
}

Rilindo_Foster1 · February 11, 2024, 11:36pm

That is gnarly.

Can you provide the play code that attempted to perform this operation?

Rilindo

Sergey_Glazyrin · February 11, 2024, 11:48pm

Here it is
ANSIBLE_KEEP_REMOTE_FILES=1 ansible localhost -m tempfile -a “path=/tmp/ prefix=buildproject state=directory” -vvv

And I debugged it, it’s not able to get data about selinux context because it’s not set, it’s triggering OSError with code 61.
and then it’s trying to build up json about failure and it’s simply get to the recursion…

Rilindo_Foster1 · February 12, 2024, 12:57am

I am not able to reproduce the error, at least with ansible core 2.15.3:

[rilindo@podman01 ~]$ getenforce

Enforcing

[rilindo@podman01 ~]$ ANSIBLE_KEEP_REMOTE_FILES=1 ansible localhost -m tempfile -a “path=/tmp/ prefix=buildproject state=directory” -vvv

ansible [core 2.15.3]

config file = /etc/ansible/ansible.cfg

configured module search path = [‘/home/rilindo/.ansible/plugins/modules’, ‘/usr/share/ansible/plugins/modules’]

ansible python module location = /usr/lib/python3.11/site-packages/ansible

ansible collection location = /home/rilindo/.ansible/collections:/usr/share/ansible/collections

executable location = /usr/bin/ansible

python version = 3.11.5 (main, Oct 25 2023, 16:19:59) [GCC 8.5.0 20210514 (Red Hat 8.5.0-20)] (/usr/bin/python3.11)

jinja version = 3.1.2

libyaml = True

Using /etc/ansible/ansible.cfg as config file

host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method

script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method

auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method

Parsed /etc/ansible/hosts inventory source with ini plugin

Skipping callback ‘default’, as we already have a stdout callback.

Skipping callback ‘minimal’, as we already have a stdout callback.

Skipping callback ‘oneline’, as we already have a stdout callback.

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: rilindo

<127.0.0.1> EXEC /bin/sh -c ‘echo ~rilindo && sleep 0’

<127.0.0.1> EXEC /bin/sh -c ‘( umask 77 && mkdir -p “echo /home/rilindo/.ansible/tmp”&& mkdir “echo /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553” && echo ansible-tmp-1707699264.9183002-64356-88319939050553=“echo /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553” ) && sleep 0’

Using module file /usr/lib/python3.11/site-packages/ansible/modules/tempfile.py

<127.0.0.1> PUT /home/rilindo/.ansible/tmp/ansible-local-62330a2uwxtzt/tmp001liao1 TO /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/AnsiballZ_tempfile.py

<127.0.0.1> EXEC /bin/sh -c ‘chmod u+x /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/ /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/AnsiballZ_tempfile.py && sleep 0’

<127.0.0.1> EXEC /bin/sh -c ‘/usr/bin/python3.11 /home/rilindo/.ansible/tmp/ansible-tmp-1707699264.9183002-64356-88319939050553/AnsiballZ_tempfile.py && sleep 0’

localhost | CHANGED => {

“changed”: true,

“gid”: 1000,

“group”: “rilindo”,

“invocation”: {

“module_args”: {

“path”: “/tmp/”,

“prefix”: “buildproject”,

“state”: “directory”,

“suffix”: “”

}

},

“mode”: “0700”,

“owner”: “rilindo”,

“path”: “/tmp/buildproject_zi01c58”,

“secontext”: “unconfined_u:object_r:user_tmp_t:s0”,

“size”: 6,

“state”: “directory”,

“uid”: 1000

}

Perhaps it is something that is unique to your local system. Have you been able to reproduce in any other system?

Rilindo

Sergey_Glazyrin · February 12, 2024, 6:44am

No, it works in another system. The problem is that I don’t have selinux context on the system… I don’t remember that I set it up explicitly but maybe something changed after I updated gentoo

Sergey_Glazyrin · February 12, 2024, 6:44am

selinux context in the system → selinux context for this path

Topic		Replies	Views
invalid selinux context Ansible Project	5	1	January 15, 2014
wrong SELinux security contexts Ansible Project	9	0	July 19, 2013
AnsibleError: Unable to create local directories Ansible Developer ubuntu	4	0	December 22, 2016
source archive succeeds however, downloading and unarchiving fails Ansible Project	0	0	March 20, 2018
Templates and SELinux contect types Ansible Project	3	0	June 6, 2013

selinux issue

Related topics