Red Hat Bugzilla – Bug 855763
/sandbox is not root owned for an old existing application
Last modified: 2015-05-14 18:59:17 EDT
Description of problem:
For an old existing application, after server upgrade and migrate, /sandbox is still not root owned.
Version-Release number of selected component (if applicable):
on INT, devenv
Steps to Reproduce:
1. Launch an old instance and create applications that cover all cartridges
2. Do server upgrade and migrate
3. ssh into old applications, ls -Zd /sandbox/
4. Create new applications and then repeat step 3
For old existing apps(all cartridges, including zend-5.6), /sandbox is not root owned.
[zend1-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxrwxrwt. b642327973a74b23ab395daf80450cb6 root system_u:object_r:libra_tmp_t:s0:c0,c531 /sandbox/
For newly created zend-5.6 app, /sandbox is root owned
[zend3-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxr-xr-x. root root system_u:object_r:libra_tmp_t:s0:c0,c537 /sandbox/
For newly created other cartriges, /sandbox is root owned, but user has access to it
[phpapp-jhouup.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxrwxrwt. root root system_u:object_r:libra_tmp_t:s0:c0,c535 /sandbox/
/sandbox should be root owned, and the permissions should be like:
drwxr-xr-t. root root unconfined_u:object_r:libra_tmp_t:s0:c0,c1001 /sandbox/
Launched new devenv build, and this problem is not reproduced. It is reproduced when upgrading from an older instance.
This problem exists for all cartridges. Need upgrade and migration to resolve.
Release ticket updated with migration steps in comment #5.
Verified this with work around script
After upgrade, run:
grep ':libra guest:' /etc/passwd | \
cut -f 1 -d : | \
while read dn; do \
mkdir -p "$t"; \
chown root:root "$t"; \
chmod 1755 "$t"; \
to fix /sandbox ownership and migrate
Then check applications of all cartridges, now /sandbox is root owned.
[ruby19-234u.dev.rhcloud.com ~]\> ls -Zd /sandbox/
drwxr-xr-t. root root system_u:object_r:libra_tmp_t:s0:c0,c509 /sandbox/