Stop using (and breaking) /var/tmp for horizon temporary things

Until now, /var/tmp label was globally changed to another value than the default, moving from tmp_t to container_file_t due to the ":z" flag in the horizon container mount. This patch creates a subdirectory in /var/tmp, and mounts this location directly in horizon's /var/tmp - this allows to NOT change anything in horizon, while preventing potential leaks from other apps using this location. It also prevents issues with SELinux denials on that location. The special 1777 mode allows to ensure we get the right "tmp" mode on the directory, meaning: drwxrwxrwt. This patch also ensures we reset the label on /var/tmp during update and upgrade. Change-Id: I6c239065d4c92c9afc62ff4e513e6d097a06e218 Resolves: rhbz#1947532 Closes-Bug: #1925316 (cherry picked from commit bafd6aba09)
2021-04-21 11:18:36 +02:00 · 2021-04-21 11:18:36 +02:00 · ff730282aa
parent ac1584a44f
commit ff730282aa
1 changed files with 21 additions and 2 deletions
--- a/deployment/horizon/horizon-container-puppet.yaml
+++ b/deployment/horizon/horizon-container-puppet.yaml
@ -316,7 +316,7 @@ outputs:
                  - /var/lib/config-data/puppet-generated/horizon:/var/lib/kolla/config_files/src:ro
                  - /var/log/containers/horizon:/var/log/horizon:z
                  - /var/log/containers/httpd/horizon:/var/log/httpd:z
-                  - /var/tmp/:/var/tmp/:z
+                  - /var/tmp/horizon:/var/tmp/:z
                  - /var/www/:/var/www/:ro
                - if:
                    - internal_tls_enabled
@ -364,7 +364,26 @@ outputs:
            - { 'path': /var/log/containers/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
            - { 'path': /var/log/containers/httpd/horizon, 'setype': svirt_sandbox_file_t, 'mode': '0750' }
            - { 'path': /var/www, 'setype': svirt_sandbox_file_t }
-      upgrade_tasks: []
+            - { 'path': /var/tmp/horizon, 'setype': svirt_sandbox_file_t, 'mode': '1777' }
+        - name: ensure /var/tmp/horizon exists on boot
+          copy:
+            dest: /etc/tmpfiles.d/var-tmp-horizon.conf
+            content: |
+              d /var/tmp/horizon 1777 root root - -
+      upgrade_tasks:
+        - name: Anchor for upgrade and update tasks
+          when: step|int == 0
+          block: &tmp_reset_label
+            - name: Reset selinux label on /var/tmp
+              file:
+                path: /var/tmp
+                state: directory
+                setype: tmp_t
+                mode: 1777
+      update_tasks:
+        - name: Anchor for upgrade and update tasks
+          when: step|int == 0
+          block: *tmp_reset_label
      external_upgrade_tasks:
        - when:
            - step|int == 1