add vfat to selinux special_context_filesystems (ansible#59823)

jamescassell · ansibot · commit 8bca16036339 · 2019-08-12T14:45:27.000-04:00
vfat is the format of the /boot/efi partition on UEFI hosts and does
not support SELinux labels

add an environment variable for this config option
diff --git a/changelogs/fragments/vfat_selinux_fs.yaml b/changelogs/fragments/vfat_selinux_fs.yaml
@@ -0,0 +1,7 @@
+---
+bugfixes:
+- vfat - changed default value of selinux_special_filesystems to include vfat,
+  the filesystem of ``/boot/efi`` on UEFI systems
+minor_changes:
+- selinux_special_filesystems config can be specified via environment variable
+  ``ANSIBLE_SELINUX_SPECIAL_FS``
diff --git a/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst b/docs/docsite/rst/dev_guide/developing_program_flow_modules.rst
@@ -429,7 +429,7 @@ files (changing attributes, moving, and copying). To set, add a comma separated
 
   # ansible.cfg
   [selinux]
-  special_context_filesystems=nfs,vboxsf,fuse,ramfs
+  special_context_filesystems=nfs,vboxsf,fuse,ramfs,vfat
 
 Most modules can use the built-in ``AnsibleModule`` methods to manipulate
 files. To access in a module that needs to know about these special context filesystems, instantiate an ``AnsibleModule`` and examine the list in
diff --git a/examples/ansible.cfg b/examples/ansible.cfg
@@ -461,7 +461,7 @@
 # file systems that require special treatment when dealing with security context
 # the default behaviour that copies the existing context or uses the user default
 # needs to be changed to use the file system dependent context.
-#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p
+#special_context_filesystems=nfs,vboxsf,fuse,ramfs,9p,vfat
 
 # Set this to yes to allow libvirt_lxc connections to work without SELinux.
 #libvirt_lxc_noseclabel = yes
diff --git a/lib/ansible/config/base.yml b/lib/ansible/config/base.yml
@@ -956,12 +956,14 @@ DEFAULT_SCP_IF_SSH:
   - {key: scp_if_ssh, section: ssh_connection}
 DEFAULT_SELINUX_SPECIAL_FS:
   name: Problematic file systems
-  default: fuse, nfs, vboxsf, ramfs, 9p
+  default: fuse, nfs, vboxsf, ramfs, 9p, vfat
   description:
     - "Some filesystems do not support safe operations and/or return inconsistent errors,
        this setting makes Ansible 'tolerate' those in the list w/o causing fatal errors."
     - Data corruption may occur and writes are not always verified when a filesystem is in the list.
-  env: []
+  env:
+  - name: ANSIBLE_SELINUX_SPECIAL_FS
+    version_added: "2.9"
   ini:
   - {key: special_context_filesystems, section: selinux}
   type: list
diff --git a/lib/ansible/module_utils/common/parameters.py b/lib/ansible/module_utils/common/parameters.py
@@ -28,7 +28,7 @@
     'module_name': ('_name', None),
     'no_log': ('no_log', False),
     'remote_tmp': ('_remote_tmp', None),
-    'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p']),
+    'selinux_special_fs': ('_selinux_special_fs', ['fuse', 'nfs', 'vboxsf', 'ramfs', '9p', 'vfat']),
     'shell_executable': ('_shell', '/bin/sh'),
     'socket': ('_socket_path', None),
     'string_conversion_action': ('_string_conversion_action', 'warn'),
