c71b72b296
Until now, /var/tmp label was globally changed to another value than the
default, moving from tmp_t to container_file_t due to the ":z" flag in
the horizon container mount.
This patch creates a subdirectory in /var/tmp, and mounts this location
directly in horizon's /var/tmp - this allows to NOT change anything in
horizon, while preventing potential leaks from other apps using this
location. It also prevents issues with SELinux denials on that location.
The special 1777 mode allows to ensure we get the right "tmp" mode on
the directory, meaning: drwxrwxrwt.
This patch also ensures we reset the label on /var/tmp during update and
upgrade.
Change-Id: I6c239065d4c92c9afc62ff4e513e6d097a06e218
Resolves: rhbz#1947532
Closes-Bug: #1925316
(cherry picked from commit
|
||
---|---|---|
.. | ||
horizon-container-puppet.yaml |