Differential D2205

Allow nginx to access container_file_t certificates on Docker engines
ClosedPublic
Actions

Authored by dereckson on Feb 14 2020, 01:09.

Details

Reviewers

dereckson

Maniphest Tasks

T1592: Upgrade Docker engines to CentOS 8.1

Commits

rOPS1c5a10f2ffd7: Allow nginx to access container_file_t certificates on Docker engines

Summary

When upgrading CentOS 8, nginx lost capability to read Let's Encrypt
fullchain.pem and privkey.pem files, both with container_file_t context
as they are managed by a Certbot container.

This change updates the SELinux policy to allow this operation.

Ref T1592

Test Plan

Tested on Equatower

Diff Detail

Repository

rOPS Nasqueron Operations

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

dereckson requested review of this revision.Feb 14 2020, 01:09

dereckson created this revision.

Harbormaster completed remote builds in B3418: Diff 5547.Feb 14 2020, 01:09

dereckson accepted this revision.Feb 14 2020, 01:28

This revision is now accepted and ready to land.Feb 14 2020, 01:28

Closed by commit rOPS1c5a10f2ffd7: Allow nginx to access container_file_t certificates on Docker engines (authored by dereckson). · Explain WhyFeb 14 2020, 01:28

This revision was automatically updated to reflect the committed changes.

dereckson added a commit: rOPS1c5a10f2ffd7: Allow nginx to access container_file_t certificates on Docker engines.

Revision Contents
Changeset List

Path

Size

roles/

paas-docker/

nginx/

files/

selinux/

nginx.te

4 lines

Diff 5548

View Options

roles/paas-docker/nginx/files/selinux/nginx.te

Allow nginx to access container_file_t certificates on Docker enginesClosedPublicActions