Bug 1729813

Summary: After update to certbot 0.34.2.-3.el7 - selinux blocks cert renew.
Product: [Fedora] Fedora EPEL Reporter: Bill <thetaeridanus>
Component: certbotAssignee: Eli Young <elyscape>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: epel7CC: anon.amish, elyscape, itamar, james.hogarth, nb, nick, rbu
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-07-19 19:36:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill 2019-07-15 02:02:45 UTC 
Description of problem: 

After update to certbot 0.34.2.-3.el7.noarch   @epel on 10th July 2019

I get the following repeated selinux error when certbot did its weekly renew run:

SELinux is preventing /usr/sbin/httpd from write access on the file /etc/letsencrypt/.certbot.lock. For complete SELinux messages run: sealert -l c02cc5cd-c024-43fa-8148-1ba529733dfc


Version-Release number of selected component (if applicable):

certbot 0.34.2.-3.el7.noarc

How reproducible:

Install current CentOS 7 updates from epel.


Actual results:

selinux blocks certbot renew after the above update.


Expected results:

certbot allowed to do it's weekly scheduled renew without being blocked by selinux.


Additional info:

OS is CentOS 7 running on DigitalOcean VM

I applied the command suggested by cockpit:

Allow this access for now by executing: 
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp

After that I don't get the selinux error when doing a manual renew. So I assume that the next shceduled one will be ok.
Comment 1 Eli Young 2019-07-19 19:36:11 UTC 
This appears to be a duplicate of #1586352. Tracking further progress there.

*** This bug has been marked as a duplicate of bug 1586352 ***