Stop using (and breaking) /var/tmp for horizon temporary things
Until now, /var/tmp label was globally changed to another value than the
default, moving from tmp_t to container_file_t due to the ":z" flag in
the horizon container mount.
This patch creates a subdirectory in /var/tmp, and mounts this location
directly in horizon's /var/tmp - this allows to NOT change anything in
horizon, while preventing potential leaks from other apps using this
location. It also prevents issues with SELinux denials on that location.
The special 1777 mode allows to ensure we get the right "tmp" mode on
the directory, meaning: drwxrwxrwt.
This patch also ensures we reset the label on /var/tmp during update and
upgrade.
Change-Id: I6c239065d4c92c9afc62ff4e513e6d097a06e218
Resolves: rhbz#1947532
Closes-Bug: #1925316
(cherry picked from commit bafd6aba09
)
This commit is contained in:
parent
81c4e559f5
commit
c71b72b296
|
@ -345,7 +345,7 @@ outputs:
|
|||
- /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
|
||||
- /var/log/containers/horizon:/var/log/horizon:z
|
||||
- /var/log/containers/httpd/horizon:/var/log/httpd:z
|
||||
- /var/tmp/:/var/tmp/:z
|
||||
- /var/tmp/horizon:/var/tmp/:z
|
||||
- /var/www/:/var/www/:ro
|
||||
- if:
|
||||
- internal_tls_enabled
|
||||
|
@ -391,7 +391,26 @@ outputs:
|
|||
- { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
|
||||
- { 'path': /var/www, 'setype': container_file_t }
|
||||
upgrade_tasks: []
|
||||
- { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' }
|
||||
- name: ensure /var/tmp/horizon exists on boot
|
||||
copy:
|
||||
dest: /etc/tmpfiles.d/var-tmp-horizon.conf
|
||||
content: |
|
||||
d /var/tmp/horizon 1777 root root - -
|
||||
upgrade_tasks:
|
||||
- name: Anchor for upgrade and update tasks
|
||||
when: step|int == 0
|
||||
block: &tmp_reset_label
|
||||
- name: Reset selinux label on /var/tmp
|
||||
file:
|
||||
path: /var/tmp
|
||||
state: directory
|
||||
setype: tmp_t
|
||||
mode: 1777
|
||||
update_tasks:
|
||||
- name: Anchor for upgrade and update tasks
|
||||
when: step|int == 0
|
||||
block: *tmp_reset_label
|
||||
external_upgrade_tasks:
|
||||
- when:
|
||||
- step|int == 1
|
||||
|
|
Loading…
Reference in New Issue