Why are SELinux contexts not set correctly when installing containerized Ansible Automation Platform 2.5?

Solution Unverified - Updated -

Environment

  • Red Hat Ansible Automation Platform 2.5 (containerized setup)
  • Red Hat Enterprise Linux (RHEL) 9.x

Issue

  • After installing containerized Ansible Automation Platform 2.5 with SELinux in Enforcing Mode, the correct SELinux contexts for container data directories are missing

Resolution

  • Please run the following semanage commands to add the necessary labels for the AAP installation directory to ensure the correct SELinux contexts are applied:

    semanage fcontext -a -t user_home_dir_t "/opt/aap(/.*)?"
semanage fcontext -a -t container_ro_file_t "/opt/aap/.local/share/containers/storage/overlay(/.*)?"
semanage fcontext -a -t container_ro_file_t "/opt/aap/.local/share/containers/storage/overlay2(/.*)?"
semanage fcontext -a -t container_file_t "/opt/aap/.local/share/containers/storage/volumes/[^/]*/.*"
semanage fcontext -a -t container_ro_file_t "/opt/aap/.local/share/containers/storage/overlay-images(/.*)?"
semanage fcontext -a -t container_ro_file_t "/opt/aap/.local/share/containers/storage/overlay-layers(/.*)?"
semanage fcontext -a -t container_ro_file_t "/opt/aap/.local/share/containers/storage/overlay2-images(/.*)?"
semanage fcontext -a -t container_ro_file_t "/opt/aap/.local/share/containers/storage/overlay2-layers(/.*)?"

  • Please run the following command to apply the new contexts:

    restorecon -vR /opt/aap

Root Cause

  • The default SELinux policy (selinux-policy-targeted) automatically sets the correct contexts for home directories, but only under /home
  • If AAP is installed in another location (such as /opt/aap or /srv/aap), SELinux does not recognize these paths and does not assign the correct container contexts. In this example, /opt/aap is used as install location
  • Running restorecon -FRv /opt/aap in such cases applies incorrect default labels, which prevents AAP from working properly

Diagnostic Steps

  • To verify the issue and confirm the necessary fixes, please follow these steps:

  1. Check if SELinux contexts are missing or incorrectly set:

    ls -Z /opt/aap/.local/share/containers/storage/

  2. Verify which contexts SELinux applies by default:

    cat /etc/selinux/targeted/contexts/files/file_contexts.homedirs

  3. Run restorecon as a test to see if it changes the contexts

    restorecon -vR /opt/aap

  4. If needed, manually set the correct contexts (see Resolution above)

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments