SELinux problem during RPMS repository configuration with Ansible

Question

I am using this Ansible task to deploy an rpm package to an RHEL8 server:

- name: Add the shibboleth Repository configuration
  yum_repository:
    name: security_shibboleth
    description: Shibboleth (CentOS_7)
    setype: rpm-md
    mirrorlist: https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
    gpgkey:
      - https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
      - https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
    gpgcheck: true
    enabled: true
  tags:
    - shibboleth

However, the task fails with this SELinux error:

fatal: [proxy_server_46]: FAILED! => {"changed": false, "cur_context": ["unconfined_u", "object_r", "system_conf_t", "s0"], "gid": 0, "group": "root", "input_was": [null, null, "rpm-md", null], "mode": "0644", "msg": "invalid selinux context: [Errno 22] Invalid argument", "new_context": ["unconfined_u", "object_r", "rpm-md", "s0"], "owner": "root", "path": "/etc/yum.repos.d/security_shibboleth.repo", "secontext": "unconfined_u:object_r:system_conf_t:s0", "size": 312, "state": "file", "uid": 0}

Any ideas what's going wrong here? Googling for this error type unfortunately did not deliver any helpful results.

Answer 1

The yum_repository module (to) Add or remove YUM repositories is more or less to create a YUM repository file (.repo) under location /etc/yum.repos.d/ only. This in mind, a minimal example playbook

---
- hosts: localhost
  become: true
  gather_facts: false

  tasks:

  - name: Create and add .repo file
    yum_repository:
      name: security_shibboleth
      description: Shibboleth (CentOS_7)
      mirrorlist: https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
      gpgkey:
        - https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
        - https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
      gpgcheck: true
      enabled: true

will generate the "text" file in INI style.

~/test$ cat /etc/yum.repos.d/security_shibboleth.repo
[security_shibboleth]
async = 1
enabled = 1
gpgcheck = 1
gpgkey = https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
        https://shibboleth.net/downloads/service-provider/RPMS/cantor.repomd.xml.key
mirrorlist = https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
name = Shibboleth (CentOS_7)

Looking at the module Parameter documentation one may notice that there is no parameter for type.

TASK [Create and add .repo file] *******************************************************************************************************************************
fatal: [localhost]: FAILED! => changed=false
  msg: 'Unsupported parameters for (yum_repository) module: type. Supported parameters include: seuser, ip_resolve, proxy_password, reposdir, includepkgs, owner, bandwidth, cost, file, mirrorlist_expire, exclude, sslclientkey (client_key), keepalive, module_hotfixes, group, failovermethod, unsafe_writes, deltarpm_metadata_percentage, gpgkey, setype, http_caching, priority, serole, mirrorlist, params, gpgcheck, include, sslclientcert (client_cert), proxy_username, username, ui_repoid_vars, metadata_expire, description, repo_gpgcheck, selevel, sslcacert (ca_cert), baseurl, sslverify (validate_certs), gpgcakey, s3_enabled, state, proxy, async, password, retries, protect, ssl_check_cert_permissions, throttle, name, deltarpm_percentage, metalink, enabled, skip_if_unavailable, keepcache, mode, timeout, enablegroups, metadata_expire_filter, attributes (attr).'

It is also not necessary to set such on plain Red Hat / Fedora / Cent OS distributions. For some background information see Red Hat Bugzilla - Bug 1373317 - RFE: Add "type=rpm-md" and "repo_gpgcheck=0" to Fedora repo files.

Whereby a type would be necessary to describe the repository for the underlaying package manager in more detail and which is not necessary in the given case, the parameter setype for setting

The type part of the SELinux filesystem object context.

to rpm-md of course and obviously will not exist. Therefore the error message

invalid selinux context: [Errno 22] Invalid argument", "new_context": ["unconfined_u", "object_r", "rpm-md", "s0"]

To Summarize

repo.type != setype.

How to resolve?

from most to less recommended ...

• Just remove the line setype: rpm-md
• Use the template module (to) Template a file out to a target host with dest: /etc/yum.repos.d/security_shibboleth.repo from a respecting Jinj2 Template
• Citation for module documentation: "If you wish to update an existing repository definition use community.general.ini_file instead."
• Use ini_file module (to create) settings in INI files from the beginnig
• Use lineinfile module (to) Manage lines in text files to add the line type: rpm-md afterwards
• Change or enhance the code of ansible/modules/yum_repository.py

---

... interesting is that according the actual module source code yum_repository.py there seems to be no parameters selevel, serole, setype and seuser (anymore). It wasn't possible to find when and where they were introduced or removed. They were there at least at Ansible Issue #23913 and in Ansible version 2.2, but not anymore in Ansible version 2.8. The parameters are also reported in my ansible [core 2.11.12] via ansible-doc yum_repository even if the source code says they are not there ... :-/