Merge pull request #77 from osg-htc/fix/certbot-selinux-z-flag

ShawnMcKee · web-flow · commit be29be817938 · 2026-02-26T20:58:50.000+01:00
fix: change certbot :Z volume mounts to :z to prevent SELinux MCS lockout
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,12 @@
 
 All notable changes to this repository will be documented in this file.
 
+## [1.5.1] - 2026-02-26
+
+### Fixed
+
+- **`docker-compose.testpoint-le.yml` and `docker-compose.testpoint-le-auto.yml`**: Changed the `certbot` service volume mounts for `/etc/letsencrypt` and `/var/www/html` from `:Z` (private SELinux MCS relabeling) to `:z` (shared). The `:Z` flag stamped the certbot container's MCS categories onto those host directories on every container recreation. `/etc/letsencrypt:Z` caused Apache to fail (`SSLCertificateFile does not exist`, connection refused on port 443). `/var/www/html:Z` caused Apache to return 403 on all endpoints (`Permission denied: search permissions are missing on a component of the path`). Immediate recovery on affected hosts: `chcon -R -t container_file_t -l s0 /etc/letsencrypt /var/www/html`, then `podman exec perfsonar-testpoint systemctl start apache2`.
+
 ## [1.5.0] - 2026-02-26
 
 ### Added
diff --git a/docs/perfsonar/tools_scripts/docker-compose.testpoint-le-auto.yml b/docs/perfsonar/tools_scripts/docker-compose.testpoint-le-auto.yml
@@ -64,8 +64,8 @@ services:
     # API to restart the testpoint container after renewal.
     volumes:
       - /run/podman/podman.sock:/run/podman/podman.sock:ro
-      - /var/www/html:/var/www/html:Z
-      - /etc/letsencrypt:/etc/letsencrypt:Z
+      - /var/www/html:/var/www/html:z
+      - /etc/letsencrypt:/etc/letsencrypt:z
       # Mount the deploy hook script into the container
       - ./tools_scripts/certbot-deploy-hook.sh:/etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh:ro
     healthcheck:
diff --git a/docs/perfsonar/tools_scripts/docker-compose.testpoint-le.yml b/docs/perfsonar/tools_scripts/docker-compose.testpoint-le.yml
@@ -56,8 +56,8 @@ services:
     # API to restart the testpoint container after renewal.
     volumes:
       - /run/podman/podman.sock:/run/podman/podman.sock:ro
-      - /var/www/html:/var/www/html:Z
-      - /etc/letsencrypt:/etc/letsencrypt:Z
+      - /var/www/html:/var/www/html:z
+      - /etc/letsencrypt:/etc/letsencrypt:z
       # Mount the deploy hook script into the container
       - ./tools_scripts/certbot-deploy-hook.sh:/etc/letsencrypt/renewal-hooks/deploy/certbot-deploy-hook.sh:ro
     healthcheck:
