Page MenuHomeDevCentral

SELinux policy for Let's encrypt directory
Closed, ResolvedPublic


By default, nginx can't read to svirt_sandbox_file_t files, and so can't serve /.well-known/acme challenge file written by the Let's encrypt container.

$ grep nginx /root/audit-nginx-certbot.log | audit2allow -m nginx
module nginx 1.0;

require {
        type httpd_t;
        type svirt_sandbox_file_t;
        class file { getattr open read };

#============= httpd_t ==============
allow httpd_t svirt_sandbox_file_t:file { getattr open read };