If SELinux contexts are defined with TYPE and ROLE, then there's whitespace missing before tags.
Sudoers include:
- path: /etc/sudoers.d/90-cloud-init-users
user_specifications:
- users: ["maintuser"]
hosts: ["ALL"]
operators: ["ALL"]
selinux_type: ["unconfined_t"]
selinux_role: ["unconfined_r"]
tags: ["NOPASSWD"]
commands: ["ALL"]Error:
TASK [fedora.linux_system_roles.sudo : Ensure sudoers include files are configured] ********
skipping: [rhel9sap-stig] => (item=/etc/sudoers)
failed: [rhel9sap-stig] (item=/etc/sudoers.d/90-cloud-init-users) => {"ansible_loop_var": "item", "changed": false, "checksum": "f12407a34c22cc9bacf8b870489f71b0e7d900de", "exit_status": 1, "item": {"path": "/etc/sudoers.d/90-cloud-init-users", "user_specifications": [{"commands": ["ALL"], "hosts": ["ALL"], "operators": ["ALL"], "selinux_role": ["unconfined_r"], "selinux_type": ["unconfined_t"], "tags": ["NOPASSWD"], "users": ["maintuser"]}]}, "msg": "failed to validate", "stderr": "/home/maintuser/.ansible/tmp/ansible-tmp-1752846390.4503267-28991-114707300652857/source:7:64: syntax error\nmaintuser ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_rNOPASSWD: ALL\n ^\n", "stderr_lines": ["/home/maintuser/.ansible/tmp/ansible-tmp-1752846390.4503267-28991-114707300652857/source:7:64: syntax error", "maintuser ALL=(ALL) TYPE=unconfined_t ROLE=unconfined_rNOPASSWD: ALL", " ^"], "stdout": "", "stdout_lines": []}
PLAY RECAP *********************************************************************************
rhel9sap-stig : ok=11 changed=0 unreachable=0 failed=1 skipped=5 rescued=0 ignored=0 Note, this issue only seems to appear when both SELinux and tags keys are defined. If selinux_type and selinux_role aren't defined, then it works.
Ansible version:
❯ ansible --version
ansible [core 2.16.14]
config file = /home/akraker/repos/rhel9-stig-image/ansible/ansible.cfg
configured module search path = ['/home/akraker/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/akraker/repos/rhel9-stig-image/venv/lib64/python3.12/site-packages/ansible
ansible collection location = /home/akraker/repos/rhel9-stig-image/ansible/collections
executable location = /home/akraker/repos/rhel9-stig-image/venv/bin/ansible
python version = 3.12.5 (main, Apr 2 2025, 00:00:00) [GCC 11.5.0 20240719 (Red Hat 11.5.0-5)] (/home/akraker/repos/rhel9-stig-image/venv/bin/python3.12)
jinja version = 3.1.6
libyaml = True
Role release:
❯ ansible-galaxy role list | grep sudo
- fedora.linux_system_roles.sudo, 1.2.5
If SELinux contexts are defined with TYPE and ROLE, then there's whitespace missing before tags.
Sudoers include:
Error:
Note, this issue only seems to appear when both SELinux and tags keys are defined. If
selinux_typeandselinux_rolearen't defined, then it works.Ansible version:
Role release:
❯ ansible-galaxy role list | grep sudo - fedora.linux_system_roles.sudo, 1.2.5