Maniphest T1364

SELinux policy for Let's encrypt directory
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dereckson
	Mar 16 2018, 03:37

Tags

Referenced Files

None

Subscribers

Description

By default, nginx can't read to svirt_sandbox_file_t files, and so can't serve /.well-known/acme challenge file written by the Let's encrypt container.

Equatower

$ grep nginx /root/audit-nginx-certbot.log | audit2allow -m nginx
module nginx 1.0;

require {
        type httpd_t;
        type svirt_sandbox_file_t;
        class file { getattr open read };
}

#============= httpd_t ==============
allow httpd_t svirt_sandbox_file_t:file { getattr open read };

Revisions and Commits

rOPS Nasqueron Operations
	D1959	rOPS16533b4eaa5f Improve SELinux policies for nginx in paas-docker role

Related Objects

Mentioned Here: D1959: Improve SELinux policies for nginx in paas-docker role

Event Timeline

dereckson created this task.Mar 16 2018, 03:37

Note svirt_sandbox_file_t has been superseded by container_file_t.

dereckson claimed this task.Oct 27 2018, 21:22

dereckson moved this task from Backlog to Working on on the Operations sprints (The Dreadnought will produce new officers) board.

dereckson added a revision: D1959: Improve SELinux policies for nginx in paas-docker role.Oct 27 2018, 23:17

This part of D1959 works.

dereckson added a commit: rOPS16533b4eaa5f: Improve SELinux policies for nginx in paas-docker role.Oct 28 2018, 18:56

dereckson closed this task as Resolved.Oct 28 2018, 18:59