Stop using (and breaking) /var/tmp for horizon temporary things
Until now, /var/tmp label was globally changed to another value than the default, moving from tmp_t to container_file_t due to the ":z" flag in the horizon container mount. This patch creates a subdirectory in /var/tmp, and mounts this location directly in horizon's /var/tmp - this allows to NOT change anything in horizon, while preventing potential leaks from other apps using this location. It also prevents issues with SELinux denials on that location. The special 1777 mode allows to ensure we get the right "tmp" mode on the directory, meaning: drwxrwxrwt. This patch also ensures we reset the label on /var/tmp during update and upgrade. Change-Id: I6c239065d4c92c9afc62ff4e513e6d097a06e218 Resolves: rhbz#1947532 Closes-Bug: #1925316
This commit is contained in:
parent
d0842812c8
commit
bafd6aba09
|
@ -329,7 +329,7 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/horizon:/var/log/horizon:z
|
||||
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
||||
- /var/tmp/:/var/tmp/:z
|
||||
- /var/tmp/horizon:/var/tmp/:z
|
||||
- /var/www/:/var/www/:ro
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
|
@ -375,7 +375,26 @@ outputs:
|
|||
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/www, 'setype': container_file_t }
|
||||
upgrade_tasks: []
|
||||
- { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' }
|
||||
- name: ensure /var/tmp/horizon exists on boot
|
||||
copy:
|
||||
dest: /etc/tmpfiles.d/var-tmp-horizon.conf
|
||||
content: |
|
||||
d /var/tmp/horizon 1777 root root - -
|
||||
upgrade_tasks:
|
||||
- name: Anchor for upgrade and update tasks
|
||||
when: step|int == 0
|
||||
block: &tmp_reset_label
|
||||
- name: Reset selinux label on /var/tmp
|
||||
file:
|
||||
path: /var/tmp
|
||||
state: directory
|
||||
setype: tmp_t
|
||||
mode: 1777
|
||||
update_tasks:
|
||||
- name: Anchor for upgrade and update tasks
|
||||
when: step|int == 0
|
||||
block: *tmp_reset_label
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
Loading…
Reference in New Issue