From d9a2966ffddc0abc0992fa8668ae3bc81bc7672f Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Mon, 8 Jul 2024 23:17:38 +1000
Subject: [PATCH] fix: certbot selinux and rsync

- fix rsync to use 755 permissions
- add rsync selinux booleans
---
 modules/certbot/manifests/selinux.pp                 | 12 ++++++++++++
 modules/certbot/templates/certbot-syncer.service.epp |  4 +---
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/modules/certbot/manifests/selinux.pp b/modules/certbot/manifests/selinux.pp
index 71e2c70..d2d5b0b 100644
--- a/modules/certbot/manifests/selinux.pp
+++ b/modules/certbot/manifests/selinux.pp
@@ -17,6 +17,18 @@ class certbot::selinux (
       persistent => true,
       value      => 'on',
     }
+    selboolean { 'rsync_client':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_export_all_ro':
+      persistent => true,
+      value      => 'on',
+    }
+    selboolean { 'rsync_full_access':
+      persistent => true,
+      value      => 'on',
+    }
 
     exec { "restorecon_${data_root}/pub":
       path        => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
diff --git a/modules/certbot/templates/certbot-syncer.service.epp b/modules/certbot/templates/certbot-syncer.service.epp
index 4123ffe..122ba93 100644
--- a/modules/certbot/templates/certbot-syncer.service.epp
+++ b/modules/certbot/templates/certbot-syncer.service.epp
@@ -3,8 +3,6 @@ Description=certbot-syncer service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/rsync --chmod=D2755,F644 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
+ExecStart=/usr/bin/rsync --chmod=755 -aL /etc/letsencrypt/live/ <%= $data_root %>/pub/
 User=root
 Group=root
-PermissionsStartOnly=false
-PrivateTmp=no