add vfat to selinux special_context_filesystems (#59823)

vfat is the format of the /boot/efi partition on UEFI hosts and does
not support SELinux labels

add an environment variable for this config option
This commit is contained in:
James Cassell 2019-08-12 14:45:27 -04:00 committed by ansibot
parent 6cb5b67b22
commit 8bca160363
5 changed files with 14 additions and 5 deletions

View file

@ -0,0 +1,7 @@
---
bugfixes:
- vfat - changed default value of selinux_special_filesystems to include vfat,
the filesystem of ``/boot/efi`` on UEFI systems
minor_changes:
- selinux_special_filesystems config can be specified via environment variable
``ANSIBLE_SELINUX_SPECIAL_FS``

View file

@ -429,7 +429,7 @@ files (changing attributes, moving, and copying). To set, add a comma separated
# ansible.cfg # ansible.cfg
[selinux] [selinux]
special_context_filesystems=nfs,vboxsf,fuse,ramfs special_context_filesystems=nfs,vboxsf,fuse,ramfs,vfat
Most modules can use the built-in ``AnsibleModule`` methods to manipulate Most modules can use the built-in ``AnsibleModule`` methods to manipulate
files. To access in a module that needs to know about these special context filesystems, instantiate an ``AnsibleModule`` and examine the list in files. To access in a module that needs to know about these special context filesystems, instantiate an ``AnsibleModule`` and examine the list in

View file

@ -461,7 +461,7 @@
# file systems that require special treatment when dealing with security context # file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default # the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context. # needs to be changed to use the file system dependent context.
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p #special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat
# Set this to yes to allow libvirt_lxc connections to work without SELinux. # Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes #libvirt_lxc_noseclabel = yes

View file

@ -956,12 +956,14 @@ DEFAULT_SCP_IF_SSH:
- {key: scp_if_ssh, section: ssh_connection} - {key: scp_if_ssh, section: ssh_connection}
DEFAULT_SELINUX_SPECIAL_FS: DEFAULT_SELINUX_SPECIAL_FS:
name: Problematic file systems name: Problematic file systems
default: fuse, nfs, vboxsf, ramfs, 9p default: fuse, nfs, vboxsf, ramfs, 9p, vfat
description: description:
- "Some filesystems do not support safe operations and/or return inconsistent errors, - "Some filesystems do not support safe operations and/or return inconsistent errors,
this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors." this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors."
- Data corruption may occur and writes are not always verified when a filesystem is in the list. - Data corruption may occur and writes are not always verified when a filesystem is in the list.
env: [] env:
- name: ANSIBLE_SELINUX_SPECIAL_FS
version_added: "2.9"
ini: ini:
- {key: special_context_filesystems, section: selinux} - {key: special_context_filesystems, section: selinux}
type: list type: list

View file

@ -28,7 +28,7 @@ PASS_VARS = {
'module_name': ('_name', None), 'module_name': ('_name', None),
'no_log': ('no_log', False), 'no_log': ('no_log', False),
'remote_tmp': ('_remote_tmp', None), 'remote_tmp': ('_remote_tmp', None),
'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p']), 'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p', 'vfat']),
'shell_executable': ('_shell', '/bin/sh'), 'shell_executable': ('_shell', '/bin/sh'),
'socket': ('_socket_path', None), 'socket': ('_socket_path', None),
'string_conversion_action': ('_string_conversion_action', 'warn'), 'string_conversion_action': ('_string_conversion_action', 'warn'),