以下是 ansible 文件的相关部分:
- name: "Create bond user"
user:
user: bond
shell: /bin/bash
- name: "Allow bond agent to be run"
sefcontext:
target: "/home/bond/bond_agent"
seuser: system_u
setype: bin_t
state: present
- name: "Create bond agent directory"
file:
path: "/home/bond/bond_agent"
state: directory
mode: 0500
owner: bond
group: bond
- name: "Copy bond agent binary"
copy:
src: bond-agent
dest: /home/bond/bond_agent/bond-agent
owner: bond
group: bond
mode: 0555
- name: "Copy bond agent config file"
template:
src: bond-agent.yml.j2
dest: /home/bond/bond_agent/bond-agent.yml
owner: bond
group: bond
mode: 0555
- name: "Apply new SELinux file context to /bond_agent directory"
command: restorecon -irv /home/bond/bond_agent
ls -laZ运行ansible playbook 后/home/bond/bond_agent,我看到:
dr-x------. 2 bond bond unconfined_u:object_r:bin_t:s0 117 Sep 16 13:21 bond_agent
运行semanage fcontext -l -C我看到:
SELinux fcontext type Context
/home/bond/bond_agent all files system_u:object_r:bin_t:s0
/bond_agent all files system_u:object_r:bin_t:s0
SELinux Local fcontext Equivalence
/bond_agent/bond-agent = /bond_agent
bond-agent = bond-agent.yml
我是 CentOS(CentOS Linux 版本 8.2.2004)+ ansible 的新手,所以我不太清楚发生了什么或者如何解决它。
答案1
更改 seuser 时需要在 restorecon 中包含“-F”。restorecon 默认仅更改类型。