diff --git a/modules/certbot/manifests/selinux.pp b/modules/certbot/manifests/selinux.pp
index 71e2c70..d2d5b0b 100644
--- a/modules/certbot/manifests/selinux.pp
+++ b/modules/certbot/manifests/selinux.pp
@@ -17,6 +17,18 @@ class certbot::selinux (
       persistent => true,
       value      => 'on',
     }
+    selboolean { 'rsync_client':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_export_all_ro':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_full_access':
+      persistent => true,
+      value      => 'on',
+    }
 
     exec { "restorecon_${data_root}/pub":
       path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
diff --git a/modules/certbot/templates/certbot-syncer.service.epp b/modules/certbot/templates/certbot-syncer.service.epp
index 4123ffe..122ba93 100644
--- a/modules/certbot/templates/certbot-syncer.service.epp
+++ b/modules/certbot/templates/certbot-syncer.service.epp
@@ -3,8 +3,6 @@ Description=certbot-syncer service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/rsync --chmod=D2755,F644 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
+ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
 User=root
 Group=root
-PermissionsStartOnly=false
-PrivateTmp=no