Ensure we set proper SELinux label on container-puppet.sh

Just to ensure we have the right label, even if something does mount the
directory with re-labelling. This would avoid any race-condition chance.

Also update old svirt_sandbox_file_t alias since the common thing is
"container_file_t".

Change-Id: Ic036ad901885f9d8c8072b560f2d9f3c8e919d58
Closes-Bug: #1854377
changes/02/696602/2
Cédric Jeanneret 3 years ago
parent 9af663bc20
commit 3b146b1e45

@ -4,13 +4,13 @@
when: "tripleo_minor_update is not defined or tripleo_minor_update != 'true'"
- name: Create /var/lib/container-puppet
no_log: True
file: path=/var/lib/container-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true
- name: Write container-puppet.py
no_log: True
copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600
- name: Write container-puppet.sh
no_log: True
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t
{%- for role in roles %}
- import_tasks: {{role.name}}/deploy_steps_tasks.yaml

@ -1577,7 +1577,7 @@ outputs:
copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600
- name: Write container-puppet.sh
no_log: True
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t
- include_tasks: fast_forward_upgrade_prep_role_tasks.yaml
with_sequence: start=0 end={{fast_forward_upgrade_prep_steps_max}}
loop_control:

Loading…
Cancel
Save