Avoid "-a" cp option in order to avoid SELinux AVC
Using "cp -a" in a container might lead to SELinux failures, since this option
is a shortcut for "-dR --preserve=all". The "all" has the context, and we do
not allow SELinux relabelling within containers.
Splitting the "-a" to "-dR --preserve" will provide the same end results, but
without the relabelling, preventing audit.log to fill up during the deploy.
Reviewed: https:/ /review. openstack. org/643240 /git.openstack. org/cgit/ openstack/ tripleo- heat-templates/ commit/ ?id=c55cf61c99a 8ad5e743672d1ef 56fa12dbdc5f17
Committed: https:/
Submitter: Zuul
Branch: master
commit c55cf61c99a8ad5 e743672d1ef56fa 12dbdc5f17
Author: Cédric Jeanneret <email address hidden>
Date: Thu Mar 14 08:45:14 2019 +0100
Avoid "-a" cp option in order to avoid SELinux AVC
Using "cp -a" in a container might lead to SELinux failures, since this option
is a shortcut for "-dR --preserve=all". The "all" has the context, and we do
not allow SELinux relabelling within containers.
Splitting the "-a" to "-dR --preserve" will provide the same end results, but
without the relabelling, preventing audit.log to fill up during the deploy.
Closes-Bug: #1819459 2986987f5abaa52 4f171d7c13b
Change-Id: Ic280ad8e95fcc3