Ensure we set proper SELinux label on container-puppet.sh

Just to ensure we have the right label, even if something does mount the directory with re-labelling. This would avoid any race-condition chance. Also update old svirt_sandbox_file_t alias since the common thing is "container_file_t". Change-Id: Ic036ad901885f9d8c8072b560f2d9f3c8e919d58 Closes-Bug: #1854377
3 years ago · 3b146b1e45
parent 9af663bc20
commit 3b146b1e45
2 changed files with 3 additions and 3 deletions
--- a/common/deploy-steps-tasks-step-0.j2.yaml
+++ b/common/deploy-steps-tasks-step-0.j2.yaml
@ -4,13 +4,13 @@
  when: "tripleo_minor_update is not defined or tripleo_minor_update != 'true'"
 - name: Create /var/lib/container-puppet
  no_log: True
-  file: path=/var/lib/container-puppet state=directory setype=svirt_sandbox_file_t selevel=s0 recurse=true
+  file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true
 - name: Write container-puppet.py
  no_log: True
  copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600
 - name: Write container-puppet.sh
  no_log: True
-  copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755
+  copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t

 {%- for role in roles %}
 - import_tasks: {{role.name}}/deploy_steps_tasks.yaml
--- a/common/deploy-steps.j2
+++ b/common/deploy-steps.j2
@ -1577,7 +1577,7 @@ outputs:
                  copy: src=docker_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.py force=yes mode=0600
                - name: Write container-puppet.sh
                  no_log: True
-                  copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755
+                  copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t
                - include_tasks: fast_forward_upgrade_prep_role_tasks.yaml
                  with_sequence: start=0 end={{fast_forward_upgrade_prep_steps_max}}
                  loop_control: