Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1947532

Summary: /var/tmp is mounted in the horizon container with :z which resets the selinux context to container instead of tmp context
Product: Red Hat OpenStack Reporter: David Hill <dhill>
Component: openstack-tripleo-heat-templatesAssignee: Cédric Jeanneret <cjeanner>
Status: CLOSED ERRATA QA Contact: ikanias
Severity: urgent Docs Contact:
Priority: high    
Version: 16.1 (Train)CC: alisci, aschultz, bdobreli, cjeanner, jhajyahy, jpichon, mburns, rdopiera, slinaber, spower
Target Milestone: z6Keywords: Triaged
Target Release: 16.1 (Train on RHEL 8.2)   
Hardware: x86_64   
OS: All   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-11.3.2-1.20210408163451.el8ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-26 13:52:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Hill 2021-04-08 16:47:34 UTC 
Description of problem:
/var/tmp is mounted in the horizon container with :z which resets the selinux context to container instead of tmp context which appears to be breaking user ability to use /var/tmp .    I traced it back to this commit but the bug mentionned is a catchall bug ... 

commit a75cc9a9539bc8d6367f5771325914f15593e422
Author: Takashi Kajinami <tkajinam>
Date:   Mon Aug 19 13:36:17 2019 +0900

    Use /var/tmp on host to store temporal files for image upload via Horizon
    
    Previously we use /tmp inside horizon container to store temporal files
    for image upload via Horizon, but this makes the image size grow for
    each upload operation.
    
    This patch makes sure that we use host directory to store temporal
    file, so that it is not written inside container.
    
    Change-Id: Ic32e7a2db83bb5a0fb3c69708be9be96435dd030
    Closes-Bug: 1840607

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 1 David Hill 2021-04-08 16:54:20 UTC 
[dhill@knox openstack-tripleo-heat-templates]$ ls -tlraZ /var/tmp
total 64
drwxr-xr-x.  2 abrt   abrt   system_u:object_r:abrt_var_cache_t:s0 4096 Aug  3  2018 abrt
drwxr-xr-x. 21 root   root   system_u:object_r:var_t:s0            4096 Feb  4 08:40 ..
-rw-------.  1 akmods akmods system_u:object_r:tmp_t:s0            1912 Mar 14 12:06 rpm-tmp.sECt4A
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-systemd-oomd.service-YPQutY
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-systemd-resolved.service-MNV5wN
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-ModemManager.service-w9r18b
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-bluetooth.service-z8zE6X
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-chronyd.service-1APzFW
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-low-memory-monitor.service-7Wj8od
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-power-profiles-daemon.service-qbfI8O
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-rtkit-daemon.service-NFwJPB
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-switcheroo-control.service-VwN7Tu
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-systemd-logind.service-I1vcFk
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-colord.service-2ZdkBD
drwx------.  3 root   root   system_u:object_r:tmp_t:s0            4096 Apr  6 13:37 systemd-private-b87efd85b33247fc876533eff17301e7-upower.service-s6LBes
drwxrwxrwt. 15 root   root   system_u:object_r:tmp_t:s0            4096 Apr  8 00:00 .


[root@broken_controller ~]# ls -ldZ /var/tmp
drwxrwxrwt. 4 root root system_u:object_r:container_file_t:s0 246 Apr  7 11:45 /var/tmp
Comment 4 Cédric Jeanneret 2021-04-21 09:28:45 UTC 
Pushing a patch on Master - should prevent this issue.
Comment 31 errata-xmlrpc 2021-05-26 13:52:43 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Red Hat OpenStack Platform 16.1.6 bug fix and enhancement advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2097