Loading...

Type: Bug
Resolution: Unresolved
Priority: Undefined
Fix Version/s: rhel-10.2
Affects Version/s: None
Component/s: rhel-system-roles
Labels:

Regression:
None
Severity:
Low

AssignedTeam:
rhel-system-roles

Story Points:
0
Blocked:
False
Ready:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
Yes
Products:

Red Hat Enterprise Linux
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
Bug Fix
Release Note Text:

Hide
Cause:
Consequence:
Fix:
Result:

Show
Cause: Consequence: Fix: Result:
Release Note Status:
Proposed
ProdDocsReview-CCS:
Unspecified
ProdDocsReview-Dev:
Unspecified
ProdDocsReview-QE:
Unspecified

Experience:

PX Impact Score:
SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

Message
When running the collection version `[1.10.4] ` with ansible `2.19.2` I get a templating error on Fedora 42. The host system is `MacOs 15.6.1 (24G90)`:

```
TASK [fedora.linux_system_roles.selinux : Load SELinux modules] ****************
included: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/selinux_load_module.yml for master => (item=

{'name': 'unconfined', 'state': 'enabled'}

)
included: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/selinux_load_module.yml for master => (item=

{'name': 'permissivedomains', 'state': 'enabled'}

)
[WARNING]: Encountered 1 template error.
error 1 - object of type 'dict' has no attribute 'path'
Origin: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/selinux_load_module.yml:15:13

13 - __selinux_item.path is defined
14 block:
15 - name: Get checksum for {{ __selinux_item.path }}
^ column 13
```

The error refers to this section in [selinux_load_module.yml](https://github.com/linux-system-roles/selinux/blob/547d8fc53a89ba75449251bb58ba20bc2cf06da1/tasks/selinux_load_module.yml#L10-L28):

```yaml

name: Prepare module installation
when:
state == "enabled"
__selinux_item.path is defined
block:
name: Get checksum for {{ __selinux_item.path }} # <<<< this line
stat:
path: "{{ __resolved_file }}"
checksum_algorithm: sha256
vars:
__esc:
__glob_pat: "([*?[])"
_escaped_file: "{{ __selinux_item.path | regex_replace(_glob_pat, __esc ~ '
1') }}"
__resolved_file: "{{ lookup('fileglob', __escaped_file) }}"
register: module_file
delegate_to: localhost
become: false
[...]
```

Adding a `debug` statement just in front of the stanza yields
```json
{
"__selinux_item":

{ "name": "unconfined", "state": "enabled" }

}
```

Removing the variable from the `name` fixes the issue. To me this looks like a bug in ansible as the `when:` guard should catch this instead of err'ing out.

```yaml

name: Prepare module installation
[...]

block:

name: Get checksum for SeLinux item # <<<< in this line remove the var
[...]
```

Versions
<details>
<summary>ansible on host [core 2.19.2]</summary>

I replaced my home dir with `~` in the output:

```sh
ansible [core 2.19.2]
config file = ~/.ansible.cfg
configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/homebrew/Cellar/ansible/12.0.0/libexec/lib/python3.13/site-packages/ansible
ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/homebrew/bin//ansible
python version = 3.13.7 (main, Aug 14 2025, 11:12:11) [Clang 17.0.0 (clang-1700.0.13.3)] (/opt/homebrew/Cellar/ansible/12.0.0/libexec/bin/python)
jinja version = 3.1.6
pyyaml version = 6.0.2 (with libyaml v0.2.5)
```
</details>

```sh
head -n5 ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/CHANGELOG.md
Changelog
=========

[1.10.4] - 2025-08-18
--------------------
```

</details>

<details>
<summary>~/.ansible.cfg: Only debug callback</summary>

```ini
[defaults]
stdout_callback = debug
```
</details>

<details>
<summary>Managed system: Fedora 42</summary>

```sh
cat /etc/redhat-release

Fedora release 42 (Adams)
```
</details>

Maybe related

1. Output with `-vvv`
```
<127.0.0.1> ESTABLISH SSH CONNECTION FOR USER: vagrant
<127.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o 'IdentityFile="_{/tmp/.vagrant/machines/master/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o 'ControlPath=}/.ansible/cp/055b8f4af0"' -o NumberOfPasswordPrompts=1 -tt 127.0.0.1 '/bin/sh -c '"'"'sudo -H -S -n -u root /bin/sh -c '"'"'"'"'"'"'"'"'echo BECOME-SUCCESS-widsedvjgovpvfcaalspwaoobxwbbizy ; /usr/bin/python3.13 /home/vagrant/.ansible/tmp/ansible-tmp-1758961795.960295-24142-265274328762623/AnsiballZ_selinux_modules_facts.py'"'"'"'"'"'"'"'"' && sleep 0'"'"''
<127.0.0.1> Escalation succeeded
<127.0.0.1> (0, b'\r\n{"changed": false, "ansible_facts": {"selinux_installed_modules": {"base_container": {"400": {"enabled": 1, "checksum": "sha256:c95d8badacc674ace0d2fed4fbee4d28d2a92799b23fd5cc30cfb444ee8896b7"}},
[...]
"zosremote": {"100": {"enabled": 1, "checksum": "sha256:d78bd06d2d1264726859b85d2cca02ddedd6f5a071f107aece8458f5eeb964de"}
}}, "selinux_priorities": true, "selinux_checksums": true}, "invocation": {"module_args": {}}}\r\n', b'Shared connection to 127.0.0.1 closed.\r\n')
<127.0.0.1> ESTABLISH SSH CONNECTION FOR USER: vagrant
<127.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o 'IdentityFile="_{/tmp/.vagrant/machines/master/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o 'ControlPath=}/.ansible/cp/055b8f4af0"' -o NumberOfPasswordPrompts=1 127.0.0.1 '/bin/sh -c '"'"'rm -f -r /home/vagrant/.ansible/tmp/ansible-tmp-1758961795.960295-24142-265274328762623/ > /dev/null 2>&1 && sleep 0'"'"''
<127.0.0.1> (0, b'', b'')
ok: [master] => {
"ansible_facts": {
"selinux_checksums": true,
"selinux_installed_modules": {
"abrt":

Unknown macro: { "100"}

,
[...]
"zosremote":

Unknown macro: { "100"}

},
"selinux_priorities": true
},
"changed": false,
"invocation": {
"module_args": {}
}
}

TASK [fedora.linux_system_roles.selinux : Load SELinux modules] ****************
task path: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/main.yml:162
[WARNING]: Encountered 1 template error.
error 1 - object of type 'dict' has no attribute 'path'
Origin: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/selinux_load_module.yml:15:13

13 - __selinux_item.path is defined
14 block:
15 - name: Get checksum for {{ __selinux_item.path }}
^ column 13

included: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/selinux_load_module.yml for master => (item=

{'name': 'unconfined', 'state': 'enabled'}

)
included: ~/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/selinux_load_module.yml for master => (item=

{'name': 'permissivedomains', 'state': 'enabled'}

)
```

1. Last occurence of __selinux_item in log before error

When grepping the output of `-vvv` the last reference to `__selinux_item` before the error is quoted below. Although this instance is found many (~2700) lines earlier in the log:

```
ok: [master] => (item=

{'name': 'user_exec_content', 'state': 'off', 'persistent': 'yes'}

) => {
"__selinux_item":

{ "name": "user_exec_content", "persistent": "yes", "state": "off" }

,
"ansible_loop_var": "__selinux_item",
"changed": false,
"invocation": {
"module_args":

{ "ignore_selinux_state": false, "name": "user_exec_content", "persistent": true, "state": false }

},
"name": "user_exec_content",
"persistent": true,
"state": false
}
```

1. Maybe related: `Task failed: process object is closed` in `Set SELinux booleans` when running with `-vvv`

```
<127.0.0.1> SSH: EXEC ssh -C -o ControlMaster=auto -o ControlPersist=60s -o StrictHostKeyChecking=no -o Port=2222 -o 'IdentityFile="/Users/jens/proj/P017-remotelab-iac/.vagrant/machines/master/virtualbox/private_key"' -o KbdInteractiveAuthentication=no -o PreferredAuthentications=gssapi-with-mic,gssapi-keyex,hostbased,publickey -o PasswordAuthentication=no -o 'User="vagrant"' -o ConnectTimeout=10 -o 'ControlPath="/Users/jens/.ansible/cp/055b8f4af0"' -o NumberOfPasswordPrompts=1 127.0.0.1 '/bin/sh -c '"'"'rm -f -r /home/vagrant/.ansible/tmp/ansible-tmp-1758961355.428307-19088-18476303292610/ > /dev/null 2>&1 && sleep 0'"'"''
<127.0.0.1> (0, b'', b'')
[ERROR]: Task failed: process object is closed
Origin: /Users/jens/.ansible/collections/ansible_collections/fedora/linux_system_roles/roles/selinux/tasks/main.yml:110:3

108 changed_when: true
109
110 - name: Set SELinux booleans
^ column 3

failed: [master] (item=

{'name': 'samba_share_fusefs', 'state': 'off', 'persistent': 'yes'}

) => {
"__selinux_item":

{ "name": "samba_share_fusefs", "persistent": "yes", "state": "off" }

,
"ansible_loop_var": "__selinux_item",
"changed": false
}

MSG:

Task failed: process object is closed
```

links to

link to github issue

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates