Ansible playbook runs fail

[ehelms]

These in particular were seen executing the Cloud Connector playbook:

rule=16 dec=deny_audit perm=open auid=-1 pid=11226 exe=/usr/bin/sftp : path=/tmp/ansible-local-111181v8h83yo/tmpqznvcdw2 ftype=text/x-python trust=0
rule=16 dec=deny_audit perm=open auid=-1 pid=11246 exe=/usr/bin/scp : path=/tmp/ansible-local-111181v8h83yo/tmpqznvcdw2 ftype=text/x-python trust=0
rule=16 dec=deny_audit perm=open auid=-1 pid=11124 exe=/usr/bin/python3.11 : path=/tmp/ansible-local-111181v8h83yo/tmpqznvcdw2 ftype=text/x-python trust=0

Options:

1. Add some dedicated rules (but this could be hard given the number of executables)
2. Change the tmp dir configured

[evgeni]

/tmp/ is set here: https://github.com/theforeman/puppet-foreman_proxy/blob/fbf33227165c56f8077cfba84738941d6133285b/templates/plugin/ansible.env.erb#L3

If we set working_dir to something more private, we could get away with a stricter rule? (but keep in mind that /tmp/foreman-proxy might be unwise, if the caller doesn't ensure it's not a symlink to prevent attacks)

Or we could set PrivateTmp in foreman-proxy.service, which would fix this, right?

[ehelms]

Or we could set PrivateTmp in foreman-proxy.service, which would fix this, right?

I will have to test this, since it is calling out to Ansible, I do not know if PrivateTmp extends.

[ehelms]

Tested and setting PrivateTmp on foreman-proxy did solve the Cloud Connector invocation issue.

[evgeni]

https://github.com/theforeman/smart-proxy/pull/879 was merged and I could run the plugins pipeline, which includes Ansible tests just fine, so I am going to close this one as completed.