semanage fcontext in ansible?

Dimon · November 4, 2014, 3:49pm

Hi,

I’ve got a playbook that needs to set some SELinux labels etc. And I’ve come up with two questions:

So far I’ve used direct invocation of "semanage fcontext -a -t logwatch_cache_t “/var/lib/logwatch(/.*)?”. I have noticed that “file” module exposes some of the selinux labeling elements, however I’m having a rough time imagining how would I implement above invocation using file module…

file: dest=“/var/lib/logwatch(/.*)?” setype=logwatch_cache_t

when using “file: … setype” - it seems nothing is stored in /etc/selinux/targeted/contexts/files/file_contexts.local afterwards. Thus shall I assume it’s more of a “chcon” front then “semanage fcontext” ?

Michael_DeHaan1 · November 4, 2014, 9:21pm

(1) Yeah it’s not intended to apply wildcards. Logic here would be correct. Maybe could also just install a policy as an alternative?

(2) Yes:

I’m open to possible additions.

Dag_Wieers · May 13, 2016, 2:45pm

I wrote a new module “sefcontext” to do exactly what “semanage fcontext” is intended for:

sefcontext:
target: ‘/var/lib/logwatch(/.*)?’
setype: logwatch_cache_t
state: present

It is fully idempotent, and supports check-mode and diff-mode.
It is constructed conform the already existing seport module.

Topic		Replies	Views
sefcontext restorecon Ansible Project rhel	4	4	January 16, 2017
Assistance with sefcontext module Ansible Project	0	1	September 7, 2017
Templates and SELinux contect types Ansible Project	3	1	June 6, 2013
invalid selinux context Ansible Project	5	2	January 15, 2014
We have a file module now! Ansible Project	1	0	March 16, 2012