Create dest directory on node with proper owner and setype

[bbaassssiiee]

What happened?

I ran into errors when the cluster is in SELinux enforcing mode.
The synchronize/rsync of files works with this patch:

diff --git a/roles/download/tasks/download_file.yml b/roles/download/tasks/download_file.yml
index c53f85ce1..152e03d22 100644
--- a/roles/download/tasks/download_file.yml
+++ b/roles/download/tasks/download_file.yml
@@ -22,9 +22,10 @@
   - name: Download_file | Create dest directory on node
     file:
       path: "{{ download.dest | dirname }}"
-      owner: "{{ download.owner | default(omit) }}"
+      owner: "{{ ansible_ssh_user | default(ansible_user_id) }}"
       mode: "0755"
       state: directory
+      setype: "{{ (preinstall_selinux_state != 'disabled') | ternary('tmp_t', omit) }}"
       recurse: true

What did you expect to happen?

Created directory is usable.

How can we reproduce it (as minimally and precisely as possible)?

CIS Hardened AlmaLinux 9.7 cluster hosts.

OS

AlmaLinux 9

Version of Ansible

ansible [core 2.17.14]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/home/semaphore/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/semaphore/venv/lib64/python3.12/site-packages/ansible
ansible collection location = /home/semaphore/.ansible/collections:/usr/share/ansible/collections
executable location = /home/semaphore/venv/bin/ansible
python version = 3.12.11 (main, Aug 14 2025, 00:00:00) [GCC 11.5.0 20240719 (Red Hat 11.5.0-11)] (/home/semaphore/venv/bin/python3.12)
jinja version = 3.1.5
libyaml = True

Version of Python

Python 3.12.11

Version of Kubespray (commit)

9991412

Network plugin used

cilium

Full inventory with variables

NDA

Command used to invoke ansible

ansible-playbook

Output of ansible run

TASK [kubernetes_sigs.kubespray.container-engine/gvisor : Download_file | Copy file from cache to nodes, if it is available] ***
task path: /home/semaphore/tmp/project_1/.ansible/collections/ansible_collections/kubernetes_sigs/kubespray/roles/download/tasks/download_file.yml:95
fatal: [xxxxxx]: FAILED! =>
attempts: 4
changed: false
cmd: /usr/bin/rsync --delay-updates -F --compress --archive --rsh='/usr/bin/ssh -S
none -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -C -o ControlMaster=auto
-o ControlPersist=60s' --out-format='<>%i %n%L' /tmp/kubespray_cache/gvisor-runsc-20251103.0-x86_64
ansible@xxxxxx:/var/tmp/releases/gvisor-runsc-20251103.0-x86_64
msg: |-
rsync: [receiver] mkstemp "/var/tmp/releases/.gvisor-runsc-20251103.0-x86_64.mVROfm" failed: Permission denied (13)
rsync error: some files/attrs were not transferred (see previous errors) (code 23) at main.c(1327) [sender=3.2.5]
rc: 23

Anything else we need to know

The synchronize module uses rsync over SSH and will use the Ansible connection user on the remote side. The parent /tmp has tmp_t but /tmp/releases has user_tmp_t. Let's make them consistent.

[VannTen]

The rsync stuff is going away soonish (™️ ), see #12299

Would that still be needed when not using synchronize ?

[bbaassssiiee]

If you would use ansible.builtin.get_url, then still proper user permissions apply, the same goes for selinux properties. Once my two PRs get merged the whole cluster deploys on Alma 9.7 with selinux in enforcing mode.