community.zabbix
community.zabbix copied to clipboard
ansible-collections
Selinux fails on noexec mounted fs
https://github.com/ansible-collections/community.zabbix/blob/2b504a76d3487aab22e0a5c1313044ee1df9e84c/roles/zabbix_server/tasks/selinux.yml#L119-L124
If the Ansible tmp directory (aka home directory of connecting user) is mounted with 'noexec' this task will fail. In secured server environments /home, /tmp, /var/tmp, etc.. are typically mounted with 'noexec' which will cause ansible to fail due to this task.
An alternative is needed.
@D3DeFi , @dj-wasabi thoughts? I personally don't see this as a problem with a role, and instead with a problem of configuration for ansible for the user and that we have to be able to assume that wherever a script runs from it will be able to. I have no idea how we would even solve this.
If you use the semodule command instead of whatever that bsx binary file is this could be avoided. I've done a lot of searching and I can't even determine what that bsx file is or what exactly it is doing. Can someone explain as I don't see any references to that file type or binary for selinux?
Only trace regarding this is #294, I have no idea what it does, but it is very ugly solution to copy binary to managed host.
And there is also this https://github.com/dj-wasabi/ansible-zabbix-proxy/pull/64, which leads to this https://support.zabbix.com/browse/ZBXNEXT-5067
I am open to accepting alternative solution, but I am also unable to provide one
Fair. Most of my solutions for Selinux involve disabling it. My original comment was more to the fact that I can't think of a way to run a script when noexex is set. I hadn't actually bothered to look at what the script was doing. Ok so obviously a valid problem to solve, just not exactly what the ticket said originally.
If it helps for tomcat I use a task like this to set file contexts. Combine this with another ansible task to set any needed selinux Booleans and that should be enough (ansible.posix.seboolean).
- name: set selinux file context for tomcat version
community.general.sefcontext:
target: '{{ item.target }}(/.*)?'
setype: "{{ item.setype }}"
reload: true
state: present
register: tomcat_rg_filecontext
with_items:
- target: "{{ tomcat_install }}/{{ instance.version | default(tomcat_version) }}/bin"
setype: bin_t
- target: "{{ (instance.dest | default(tomcat_data + '/' + instance.name)) }}/bin"
setype: bin_t
- name: Run restore context to reload selinux for tomcat version # noqa no-handler
ansible.builtin.command: restorecon -R -v {{ item.target }}
when: tomcat_rg_filecontext.results[item.index].changed
with_items:
- index: 0
target: "{{ tomcat_install }}/{{ instance.version | default(tomcat_version) }}/bin"
- index: 1
target: "{{ (instance.dest | default(tomcat_data + '/' + instance.name)) }}/bin"
Any binary called by the systemd service (ExecStart/ExecStop) needs to have the 'bin_t' file context.
As far as the script and noexec is concerned this is a non issue when using ansible.builtin.shell, ansible.builtin.command, and ansible.builtin.script. For ansible.builtin.script you will need to give an argument and set the executable to bash, sh, python, or whatever language your script is written in (don't call script directly as executable).