fix: change certbot :Z volume mounts to :z to prevent SELinux MCS lockout

root · root · commit 7bb51701e395 · 2026-02-26T14:58:02.000-05:00
The certbot service in docker-compose.testpoint-le.yml and
docker-compose.testpoint-le-auto.yml used :Z (private relabeling) for
/etc/letsencrypt and /var/www/html. On every certbot container recreation
(e.g. after update-perfsonar-deployment.sh), :Z stamps the new container's
random MCS categories onto those host directories. The perfsonar-testpoint
container, which mounts the same paths with :z (shared), then cannot read
the certificates, causing Apache to fail with:

  SSLCertificateFile: file '/etc/letsencrypt/live/.../fullchain.pem'
  does not exist or is empty

This produces connection refused (HTTP 000) on port 443, breaking
node_exporter and perfsonar_host_exporter scraping.

Fix: use :z (shared) for both certbot volume mounts so the shared
container_file_t:s0 label (no MCS restriction) is maintained.

Recovery on affected hosts:
  chcon -R -t container_file_t -l s0 /etc/letsencrypt
  podman exec perfsonar-testpoint systemctl start apache2
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@
 
 All notable changes to this repository will be documented in this file.
 
+## [1.5.1] - 2026-02-26
+
+### Fixed
+
+- **`docker-compose.testpoint-le.yml` and `docker-compose.testpoint-le-auto.yml`**: Changed the `certbot` service volume mounts for `/etc/letsencrypt` and `/var/www/html` from `:Z` (private SELinux MCS relabeling) to `:z` (shared). The `:Z` flag stamped the certbot container's MCS categories onto those host directories on every container recreation. `/etc/letsencrypt:Z` caused Apache to fail (`SSLCertificateFile does not exist`, connection refused on port 443). `/var/www/html:Z` caused Apache to return 403 on all endpoints (`Permission denied: search permissions are missing on a component of the path`). Immediate recovery on affected hosts: `chcon -R -t container_file_t -l s0 /etc/letsencrypt /var/www/html`, then `podman exec perfsonar-testpoint systemctl start apache2`.
+
 ## [1.5.0] - 2026-02-26
 
 ### Added
diff --git a/docs/perfsonar/tools_scripts/docker-compose.testpoint-le-auto.yml b/docs/perfsonar/tools_scripts/docker-compose.testpoint-le-auto.yml
@@ -64,8 +64,8 @@ services:
     # API to restart the testpoint container after renewal.
     volumes:
       - /run/podman/podman.sock:/run/podman/podman.sock:ro
-      - /var/www/html:/var/www/html:Z
-      - /etc/letsencrypt:/etc/letsencrypt:Z
+      - /var/www/html:/var/www/html:z
+      - /etc/letsencrypt:/etc/letsencrypt:z
       # Mount the deploy hook script into the container
       - ./tools_scripts/certbot-deploy-hook.sh:/etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh:ro
     healthcheck:
diff --git a/docs/perfsonar/tools_scripts/docker-compose.testpoint-le.yml b/docs/perfsonar/tools_scripts/docker-compose.testpoint-le.yml
@@ -56,8 +56,8 @@ services:
     # API to restart the testpoint container after renewal.
     volumes:
       - /run/podman/podman.sock:/run/podman/podman.sock:ro
-      - /var/www/html:/var/www/html:Z
-      - /etc/letsencrypt:/etc/letsencrypt:Z
+      - /var/www/html:/var/www/html:z
+      - /etc/letsencrypt:/etc/letsencrypt:z
       # Mount the deploy hook script into the container
       - ./tools_scripts/certbot-deploy-hook.sh:/etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh:ro
     healthcheck:
