From 8bca160363390be79481a6f4b7673cbb5efb9278 Mon Sep 17 00:00:00 2001 From: James Cassell Date: Mon, 12 Aug 2019 14:45:27 -0400 Subject: [PATCH] add vfat to selinux special_context_filesystems (#59823) vfat is the format of the /boot/efi partition on UEFI hosts and does not support SELinux labels add an environment variable for this config option --- changelogs/fragments/vfat_selinux_fs.yaml | 7 +++++++ .../rst/dev_guide/developing_program_flow_modules.rst | 2 +- examples/ansible.cfg | 2 +- lib/ansible/config/base.yml | 6 ++++-- lib/ansible/module_utils/common/parameters.py | 2 +- 5 files changed, 14 insertions(+), 5 deletions(-) create mode 100644 changelogs/fragments/vfat_selinux_fs.yaml diff --git a/changelogs/fragments/vfat_selinux_fs.yaml b/changelogs/fragments/vfat_selinux_fs.yaml new file mode 100644 index 00000000000..c71a920d80e --- /dev/null +++ b/changelogs/fragments/vfat_selinux_fs.yaml @@ -0,0 +1,7 @@ +--- +bugfixes: +- vfat - changed default value of selinux_special_filesystems to include vfat, + the filesystem of ``/boot/efi`` on UEFI systems +minor_changes: +- selinux_special_filesystems config can be specified via environment variable + ``ANSIBLE_SELINUX_SPECIAL_FS`` diff --git a/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst b/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst index 2b18e3d29ff..6618bb4ceda 100644 --- a/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst +++ b/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst @@ -429,7 +429,7 @@ files (changing attributes, moving, and copying). To set, add a comma separated # ansible.cfg [selinux] - special_context_filesystems=nfs,vboxsf,fuse,ramfs + special_context_filesystems=nfs,vboxsf,fuse,ramfs,vfat Most modules can use the built-in ``AnsibleModule`` methods to manipulate files. To access in a module that needs to know about these special context filesystems, instantiate an ``AnsibleModule`` and examine the list in diff --git a/examples/ansible.cfg b/examples/ansible.cfg index 3291156b2c2..27283343582 100644 --- a/examples/ansible.cfg +++ b/examples/ansible.cfg @@ -461,7 +461,7 @@ # file systems that require special treatment when dealing with security context # the default behaviour that copies the existing context or uses the user default # needs to be changed to use the file system dependent context. -#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p +#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat # Set this to yes to allow libvirt_lxc connections to work without SELinux. #libvirt_lxc_noseclabel = yes diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml index 16e091567b3..a5b32788708 100644 --- a/lib/ansible/config/base.yml +++ b/lib/ansible/config/base.yml @@ -956,12 +956,14 @@ DEFAULT_SCP_IF_SSH: - {key: scp_if_ssh, section: ssh_connection} DEFAULT_SELINUX_SPECIAL_FS: name: Problematic file systems - default: fuse, nfs, vboxsf, ramfs, 9p + default: fuse, nfs, vboxsf, ramfs, 9p, vfat description: - "Some filesystems do not support safe operations and/or return inconsistent errors, this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors." - Data corruption may occur and writes are not always verified when a filesystem is in the list. - env: [] + env: + - name: ANSIBLE_SELINUX_SPECIAL_FS + version_added: "2.9" ini: - {key: special_context_filesystems, section: selinux} type: list diff --git a/lib/ansible/module_utils/common/parameters.py b/lib/ansible/module_utils/common/parameters.py index 9b87af85577..a395a2b607a 100644 --- a/lib/ansible/module_utils/common/parameters.py +++ b/lib/ansible/module_utils/common/parameters.py @@ -28,7 +28,7 @@ PASS_VARS = { 'module_name': ('_name', None), 'no_log': ('no_log', False), 'remote_tmp': ('_remote_tmp', None), - 'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p']), + 'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p', 'vfat']), 'shell_executable': ('_shell', '/bin/sh'), 'socket': ('_socket_path', None), 'string_conversion_action': ('_string_conversion_action', 'warn'),