ubuntu 18.04 – How to stop apt-get using /tmp for install scripts

I have a CIS-benchmark-compliant base image.
Pulling this to differentiate an immutable image for my application, if I attempt to do

apt-get install -y docker.io

I get an error

==> amazon-ebs: Can't exec "/tmp/docker.io.config.NzitwJ": Permission denied at /usr/share/perl/5.26/IPC/Open3.pm line 178.

==> amazon-ebs: open2: exec of /tmp/docker.io.config.NzitwJ configure  failed: Permission denied at /usr/share/perl5/Debconf/ConfModule.pm line 59.

This is because CIS-compliant images have noexec set on the /tmp filesystem.

Does anyone know of a command line or equivalent way to make apt-get use a different file system for install scripts, or am I going to have to schedule tasks to install from source? Note, this does not only affect docker.io, but others as well. I’m looking for an apt-get-level solution, not an app-specific package method.