On Tue, Apr 18, 2017 at 08:26:50AM -0500, Ian Pilcher wrote: > On 04/18/2017 07:10 AM, Dominick Grift wrote: > > where are you copying that object to? There should be no content with > > type "cert_t" in a user home directory > > I'm copying the mod_nss NSS database directory (/etc/httpd/alias). The > program is intended to update Let's Encrypt certificates in mod_nss. > > I've moved the actual mod_nss database into a directory named something > like /etc/httpd/alias-20170218081357 and /etc/httpd/alias is now a > symbolic link to that directory. > > My program does this following: > > * Create a new directory with a current timestamp: > /etc/httpd/alias-20170408143539 for example. > > * Copy the NSS database files (cert8.db, key3.db, and secmod.db) from > the "old" directory to the new directory. I can get away with this, > because mod_nss always opens the database read-only. > > * Open the NSS database in the new directory, delete any existing > certificates with the matching nickname (hostname), and import the > new certificate. > > * Recursively copy any other content (files, symlinks, subdirectories) > from the old directory to the new directory. This step also copies > the ownership, permissions, and SELinux context of *all* objects, > including the NSS database files. (This is where I hit the relabelto > denial.) Okay so i suppose that behaves like `cp -a`. That copies the file context as well. I think then you are stuck with the object id change exemption solution because AFAIK there is no `cp -a-minus-selinux-context` or equivalent This is also an issue with dracut, where it cp -a a bunch of files from / to /var/tmp/dracut to create the initramfs forcing us the me to allow dracut to manage and relabel a lot of files > > * Create a new symbolic link, /etc/httpd/alias.new, that points to the > new directory. > > * Rename the /etc/httpd/alias.new symbolic link to /etc/httpd/alias. > > * Recursively delete the old directory. > > * Reload (SIGUSR1) httpd, so it will start using the new certificate. > (Actually, systemd does this in an ExecStartPost.) > > -- > ======================================================================== > Ian Pilcher arequipeno@xxxxxxxxx > -------- "I grew up before Mark Zuckerberg invented friendship" -------- > ======================================================================== > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
