-
Notifications
You must be signed in to change notification settings - Fork 56
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fapolicyd and ansible permission deny #311
Comments
You are using ansible with ansible user which is not supported by default. If you use root there should be no problem if that's not possible you can allow just specific directory. |
E.g.: exception for system, first local user and ansible user: |
I will take a look at both of these, the problem is we are not able to be root and run ansible, it must be the user. Its a security thing we have. We are able to use root to escalate in the playbook become = yes. |
Auid (not uid) ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - root), thus for username ansible:
Regular users can only run trusted files. |
Do i need to make an ansible user profile? |
Creating a separate Local account, such as "ansible", with key-based authentication can be very useful for managing a large fleet of hosts. Domain authentication can fail at the most inopportune moment. |
I am running a simple ansible-playbook -i inventory.ini -b playbook.yaml, without fapolicyd running all the ping's are successful, when i activate the policy, I get this:
[WARNING]: sftp transfer mechanism failed on [xxx.xx.xxx.xxx]. Use ANSIBLE_DEBUG=1 to see detailed information
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: PermissionError: [Errno 1] Operation not permitted: b'/usr/home/xxxxx/.ansible/tmp/ansible-local-30386wpmj2n12/tmp75p3z00c'
fatal: [xxx.xx.xxx.xxx]: FAILED! => {"msg": "Unexpected failure during module execution.", "stdout": ""}
I don't know how to fix this, i have added the file to trust.d and still wont work
The text was updated successfully, but these errors were encountered: