From 4abeffe64c1b4009bfea81d03241e8395d2e8ea2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Jeanneret?= <cjeanner@redhat.com>
Date: Wed, 21 Apr 2021 11:18:36 +0200
Subject: [PATCH] Stop using (and breaking) /var/tmp for horizon temporary
 things

Until now, /var/tmp label was globally changed to another value than the
default, moving from tmp_t to container_file_t due to the ":z" flag in
the horizon container mount.

This patch creates a subdirectory in /var/tmp, and mounts this location
directly in horizon's /var/tmp - this allows to NOT change anything in
horizon, while preventing potential leaks from other apps using this
location. It also prevents issues with SELinux denials on that location.

The special 1777 mode allows to ensure we get the right "tmp" mode on
the directory, meaning: drwxrwxrwt.

This patch also ensures we reset the label on /var/tmp during update and
upgrade.

Change-Id: I6c239065d4c92c9afc62ff4e513e6d097a06e218
Resolves: rhbz#1947532
Closes-Bug: #1925316
(cherry picked from commit bafd6aba099678846083989ce5fbdd0d09654db5)
---
 .../horizon/horizon-container-puppet.yaml     | 23 +++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/deployment/horizon/horizon-container-puppet.yaml b/deployment/horizon/horizon-container-puppet.yaml
index 1642f31006..93464f3030 100644
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@@ -339,7 +339,7 @@ outputs:
                   - /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
                   - /var/log/containers/horizon:/var/log/horizon:z
                   - /var/log/containers/httpd/horizon:/var/log/httpd:z
-                  - /var/tmp/:/var/tmp/:z
+                  - /var/tmp/horizon:/var/tmp/:z
                   - /var/www/:/var/www/:ro
                 - if:
                     - internal_tls_enabled
@@ -385,7 +385,26 @@ outputs:
             - { 'path': /var/log/containers/horizon, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/log/containers/httpd/horizon, 'setype': container_file_t, 'mode': '0750' }
             - { 'path': /var/www, 'setype': container_file_t }
-      upgrade_tasks: []
+            - { 'path': /var/tmp/horizon, 'setype': container_file_t, 'mode': '1777' }
+        - name: ensure /var/tmp/horizon exists on boot
+          copy:
+            dest: /etc/tmpfiles.d/var-tmp-horizon.conf
+            content: |
+              d /var/tmp/horizon 1777 root root - -
+      upgrade_tasks:
+        - name: Anchor for upgrade and update tasks
+          when: step|int == 0
+          block: &tmp_reset_label
+            - name: Reset selinux label on /var/tmp
+              file:
+                path: /var/tmp
+                state: directory
+                setype: tmp_t
+                mode: 1777
+      update_tasks:
+        - name: Anchor for upgrade and update tasks
+          when: step|int == 0
+          block: *tmp_reset_label
       external_upgrade_tasks:
         - when:
             - step|int == 1