Avoid "-a" cp option in order to avoid SELinux AVC

Using "cp -a" in a container might lead to SELinux failures, since this option is a shortcut for "-dR --preserve=all". The "all" has the context, and we do not allow SELinux relabelling within containers. Splitting the "-a" to "-dR --preserve" will provide the same end results, but without the relabelling, preventing audit.log to fill up during the deploy. Closes-Bug: #1819459 Change-Id: Ic280ad8e95fcc32986987f5abaa524f171d7c13b
2019-03-14 08:45:14 +01:00 · 2019-03-14 08:45:14 +01:00 · c55cf61c99
commit c55cf61c99
parent b80abea3b4
1 changed files with 1 additions and 1 deletions
--- a/deployment/swift/swift-ringbuilder-container-puppet.yaml
+++ b/deployment/swift/swift-ringbuilder-container-puppet.yaml
@ -120,7 +120,7 @@ outputs:
              # Use bash to run the cp command so that wildcards can be used
              - '/bin/bash'
              - '-c'
-              - 'cp -v -a -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
+              - 'cp -v -dR --preserve -t /etc/swift /swift_ringbuilder/etc/swift/*.gz /swift_ringbuilder/etc/swift/*.builder /swift_ringbuilder/etc/swift/backups'
            volumes:
              - /var/lib/config-data/puppet-generated/swift/etc/swift:/etc/swift:rw,z
              - /var/lib/config-data/swift_ringbuilder:/swift_ringbuilder:ro