THIS IS A TEST INSTANCE ONLY! REPOSITORIES CAN BE DELETED AT ANY TIME!

Browse Source

add vfat to selinux special_context_filesystems (#59823)

vfat is the format of the /boot/efi partition on UEFI hosts and does
not support SELinux labels

add an environment variable for this config option
tags/stable-2.9-branchpoint
James Cassell 1 month ago
parent
commit
8bca160363

+ 7
- 0
changelogs/fragments/vfat_selinux_fs.yaml View File

@@ -0,0 +1,7 @@
---
bugfixes:
- vfat - changed default value of selinux_special_filesystems to include vfat,
the filesystem of ``/boot/efi`` on UEFI systems
minor_changes:
- selinux_special_filesystems config can be specified via environment variable
``ANSIBLE_SELINUX_SPECIAL_FS``

+ 1
- 1
docs/docsite/rst/dev_guide/developing_program_flow_modules.rst View File

@@ -429,7 +429,7 @@ files (changing attributes, moving, and copying). To set, add a comma separated

# ansible.cfg
[selinux]
special_context_filesystems=nfs,vboxsf,fuse,ramfs
special_context_filesystems=nfs,vboxsf,fuse,ramfs,vfat

Most modules can use the built-in ``AnsibleModule`` methods to manipulate
files. To access in a module that needs to know about these special context filesystems, instantiate an ``AnsibleModule`` and examine the list in

+ 1
- 1
examples/ansible.cfg View File

@@ -461,7 +461,7 @@
# file systems that require special treatment when dealing with security context
# the default behaviour that copies the existing context or uses the user default
# needs to be changed to use the file system dependent context.
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p
#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat

# Set this to yes to allow libvirt_lxc connections to work without SELinux.
#libvirt_lxc_noseclabel = yes

+ 4
- 2
lib/ansible/config/base.yml View File

@@ -956,12 +956,14 @@ DEFAULT_SCP_IF_SSH:
- {key: scp_if_ssh, section: ssh_connection}
DEFAULT_SELINUX_SPECIAL_FS:
name: Problematic file systems
default: fuse, nfs, vboxsf, ramfs, 9p
default: fuse, nfs, vboxsf, ramfs, 9p, vfat
description:
- "Some filesystems do not support safe operations and/or return inconsistent errors,
this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors."
- Data corruption may occur and writes are not always verified when a filesystem is in the list.
env: []
env:
- name: ANSIBLE_SELINUX_SPECIAL_FS
version_added: "2.9"
ini:
- {key: special_context_filesystems, section: selinux}
type: list

+ 1
- 1
lib/ansible/module_utils/common/parameters.py View File

@@ -28,7 +28,7 @@ PASS_VARS = {
'module_name': ('_name', None),
'no_log': ('no_log', False),
'remote_tmp': ('_remote_tmp', None),
'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p']),
'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p', 'vfat']),
'shell_executable': ('_shell', '/bin/sh'),
'socket': ('_socket_path', None),
'string_conversion_action': ('_string_conversion_action', 'warn'),

Loading…
Cancel
Save