On 04/18/2017 07:10 AM, Dominick Grift wrote:
where are you copying that object to? There should be no content with type "cert_t" in a user home directory
I'm copying the mod_nss NSS database directory (/etc/httpd/alias). The program is intended to update Let's Encrypt certificates in mod_nss. I've moved the actual mod_nss database into a directory named something like /etc/httpd/alias-20170218081357 and /etc/httpd/alias is now a symbolic link to that directory. My program does this following: * Create a new directory with a current timestamp: /etc/httpd/alias-20170408143539 for example. * Copy the NSS database files (cert8.db, key3.db, and secmod.db) from the "old" directory to the new directory. I can get away with this, because mod_nss always opens the database read-only. * Open the NSS database in the new directory, delete any existing certificates with the matching nickname (hostname), and import the new certificate. * Recursively copy any other content (files, symlinks, subdirectories) from the old directory to the new directory. This step also copies the ownership, permissions, and SELinux context of *all* objects, including the NSS database files. (This is where I hit the relabelto denial.) * Create a new symbolic link, /etc/httpd/alias.new, that points to the new directory. * Rename the /etc/httpd/alias.new symbolic link to /etc/httpd/alias. * Recursively delete the old directory. * Reload (SIGUSR1) httpd, so it will start using the new certificate. (Actually, systemd does this in an ExecStartPost.) -- ======================================================================== Ian Pilcher arequipeno@xxxxxxxxx -------- "I grew up before Mark Zuckerberg invented friendship" -------- ======================================================================== _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
