From 2851c49d0e98985a4bbc7eecd5240e6bcd875919 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Wed, 31 Mar 2021 08:37:35 +0200
Subject: [PATCH] Move tmpwatch from cron.daily to actual root crontab

It appeary running the tmpwatch from the cron.daily location isn't
possible: the way cron/anacron is running things appears to break
SELinux context at some point, leading to SELinux denials caused by a
weird need for dac_override.

In order to NOT allow this dac_override (security hazard), and after
extensive testing, it seems it's better to push the job directly in
root's crontab.

Change-Id: Ib7e1d47fe7cffa2bd2ed1d72d94e4f380162f10a
Closes-Bug: #1922002
Resolves: rhbz#1944466
(cherry picked from commit 1c7657b00b3a71e3c38b354cb40b00fa72796d4f)
---
 .../logrotate-crond-container-puppet.yaml     | 45 ++++++++++++-------
 1 file changed, 30 insertions(+), 15 deletions(-)

diff --git a/deployment/logrotate/logrotate-crond-container-puppet.yaml b/deployment/logrotate/logrotate-crond-container-puppet.yaml
index 5cf8894cf1..434d8ea246 100644
--- a/deployment/logrotate/logrotate-crond-container-puppet.yaml
+++ b/deployment/logrotate/logrotate-crond-container-puppet.yaml
@@ -107,21 +107,36 @@ outputs:
       deploy_steps_tasks:
         - name: configure tmpwatch on the host
           when: step|int == 2
-          copy:
-            dest: /etc/cron.daily/containers-tmpwatch
-            owner: root
-            group: root
-            mode: 0755
-            content: |
-              #!/bin/sh
-              tmpwatch --nodirs \
-                -X "/var/log/containers/*/*log" \
-                -X "/var/log/containers/*/*/*log" \
-                -X "/var/log/containers/*/*err" \
-                {{ LogrotatePurgeAfterDays|int +1 }}d \
-                /var/log/containers/ 2>&1 | logger -t container-tmpwatch
-          vars:
-             LogrotatePurgeAfterDays: {get_param: LogrotatePurgeAfterDays}
+          block:
+            - name: Push script
+              copy:
+                dest: /usr/local/sbin/containers-tmpwatch
+                owner: root
+                group: root
+                mode: 0755
+                content: |
+                  #!/bin/sh
+                  tmpwatch --nodirs \
+                    -X "/var/log/containers/*/*log" \
+                    -X "/var/log/containers/*/*/*log" \
+                    -X "/var/log/containers/*/*err" \
+                    {{ LogrotatePurgeAfterDays|int +1 }}d \
+                    /var/log/containers/ 2>&1 | logger -t container-tmpwatch
+              vars:
+                 LogrotatePurgeAfterDays: {get_param: LogrotatePurgeAfterDays}
+            - name: Insert cronjob in root crontab
+              cron:
+                name: "Remove old logs"
+                special_time: "daily"
+                user: "root"
+                job: "/usr/local/sbin/containers-tmpwatch"
+      update_tasks: &tmpwatch_script_clean
+        - name: Ensure old cron.daily is absent
+          when: step|int == 1
+          file:
+            path: /etc/cron.daily/containers-tmpwatch
+            state: absent
+      upgrade_tasks: *tmpwatch_script_clean
       # BEGIN DOCKER SETTINGS
       puppet_config:
         config_volume: crond