From db88cb8d8f651a4dc98af255b4f10f9095216afc Mon Sep 17 00:00:00 2001 From: Zeust the Unoobian Date: Wed, 25 Apr 2018 18:05:03 +0200 Subject: [PATCH] Add note about sefcontext doing no restorecon (#39076) * Add note about sefcontext doing no restorecon To someone like me who is relatively new to SELinux, setting the "reload" option to yes might suggest that a restorecon is automatically executed after the semanage call, making the new file context effective immediately. I have found out that this is not the case and would like to clarify this to others. +label: docsite_pr * Replace note by one suggested by reviewer Reviewer dagwieers suggested a better notice text during review of my original one, giving recommendations about what to do to actually get the newly chosen SELinux context applied to the file. --- lib/ansible/modules/system/sefcontext.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/ansible/modules/system/sefcontext.py b/lib/ansible/modules/system/sefcontext.py index ec43d3ed957..cec70c19592 100644 --- a/lib/ansible/modules/system/sefcontext.py +++ b/lib/ansible/modules/system/sefcontext.py @@ -53,6 +53,10 @@ options: default: 'yes' notes: - The changes are persistent across reboots +- The M(sefcontext) module does not modify existing files to the new + SELinux context(s), so it is advisable to first create the SELinux + file contexts before creating files, or run C(restorecon) manually + for the existing files that require the new SELinux file contexts. requirements: - libselinux-python - policycoreutils-python