1

I run an Alma 8/9 estate and use Ansible to deploy various config changes, and I've run into an unusual problem on one of my client boxes. Alma 8 by standard comes with python 3.6, which works quite happily with my AWX server for pushing out playbooks, but because of an application requirement I installed python 3.8 and flipped it to be the default version used by the box using the "alternatives --config python3" command.

When I came to next deploy an Ansible playbook to the box the connection failed with the following error:

"msg": "Aborting, target uses selinux but python bindings (libselinux-python) aren't installed!"

The server has python3-libselinux installed by default, but there doesn't seem to be an equivalent python38-libselinux package. After a bit of research I installed the "selinux" python module via pip. This resolved the connectivity issue, but looks to cause a knock on problem in that files modified by the playbook lose their correct SELinux context and instead receive default ones:

[alex@dcbutlnprdnb01 zabbix]# ls -lZ
total 124
-rw-r--r--. 1 root root unconfined_u:object_r:user_home_t:s0   385 Dec 21 10:49 zabbix_agentd.conf

Correct SELinux contexts prior to running the playbook, for reference, are:

[alex@dcautlprdnb01 zabbix]# ls -lZ zabbix_agentd.conf
-rw-r--r--. 1 root root system_u:object_r:etc_t:s0 17135 Nov 24 14:18 zabbix_agentd.conf

Ideally the fix needs to be client end, perhaps installing an alternative python module I've not found so far, so that I'm not repeating code to compensate for the problem every time I write a playbook. I can set custom variables against the host in AWX, if it's not possible to apply a fix on the client server.

Can anybody suggest the best way to resolve this issue?

Thanks!

Improve this question

2 Answers 2

Reset to default
1

Fix identified, I can specify the version of python use by Ansible as a host level variable within AWX:

ansible_python_interpreter: '/bin/python3.6'
Improve this answer
0

Thid might not be a complete solution because you made so many changes. But here are a few points to get you going.

  1. Make sure the policycoreutils-python are installed, this includes tools to manage SElinux.

  2. For ansible to work properly, SElinux needs to be in permissive mode:

    sudo setenforce 0

  3. Optional, maybe create a custom SElinux policy. If Ansible operations are still denied, you might need to create custom SELinux policies. Use the audit2allow tool to generate policy modules based on audit logs.

Improve this answer
1
  • 1. The whole problem was that python 3.8 was missing some of the packages used by Ansible. They don't exist to be installed. 2. If Ansible didn't work without switching SELinux off, it wouldn't be fit for purpose. Switching off your entire system security system is almost never the correct solution for any SELinux problem, for anyone reading this. 3. This contradicts suggestion 2. If SELinux is switched off policies won't make any difference. See above, all I had to do in the end was set a variable at inventory level to tell Ansible to specifically use the 3.6 interpreter. Commented Jan 30, 2024 at 15:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.