fix: certbot selinux and rsync

- fix rsync to use 755 permissions - add rsync selinux booleans
2024-07-08 23:17:38 +10:00 · 2024-07-08 23:17:38 +10:00 · d9a2966ffd
commit d9a2966ffd
parent 899e2cbf49
2 changed files with 13 additions and 3 deletions
--- a/modules/certbot/manifests/selinux.pp
+++ b/modules/certbot/manifests/selinux.pp
@ -17,6 +17,18 @@ class certbot::selinux (
      persistent => true,
      value      => 'on',
    }
+    selboolean { 'rsync_client':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_export_all_ro':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_full_access':
+      persistent => true,
+      value      => 'on',
+    }

    exec { "restorecon_${data_root}/pub":
      path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
--- a/modules/certbot/templates/certbot-syncer.service.epp
+++ b/modules/certbot/templates/certbot-syncer.service.epp
@ -3,8 +3,6 @@ Description=certbot-syncer service

 [Service]
 Type=oneshot
-ExecStart=/usr/bin/rsync --chmod=D2755,F644 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
+ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
 User=root
 Group=root
-PermissionsStartOnly=false
-PrivateTmp=no