[SELinux] should the log files be var_log_t or cron_log_t?

I have a CentOS 8 cloud VPS which has been running certbot via cron with no problems for months.
Recently I was trying to fix SELinux errors so that I could move from permissive mode to enforcing mode.
When I ran sudo restorecon -R -v /var , I was surprised to see all these:

Relabeled /var/log/letsencrypt/letsencrypt.log from system_u:object_r:cron_log_t:s0 to system_u:object_r:var_log_t:s0
... many others ...
Relabeled /var/log/letsencrypt/letsencrypt.log.24 from system_u:object_r:cron_log_t:s0 to system_u:object_r:var_log_t:s0

Which type is correct?

I think var_log_t is.

EPEL 8 certbot comes packaged with certbot-renew.timer (disabled by default) and no cron job at all. I believe if you enable that timer, the var_log_t label will be applied.

However … the Certbot website tells you to setup a cronjob. If you do use that approach, you end up with the cron_log_t label.

@bmw do you know anything about this, or are you able to point who the EPEL packagers are?

(As a separate issue, I noticed that if I follow the instructions on the website, I end up with an error because the cron instructions use a python binary to perform a sleep, which does not exist on my fresh CentOS 8 system - only the versioned variants do).

Unfortunately there’s no maintainers listed on the package at https://centos.pkgs.org/8/epel-x86_64/certbot-1.5.0-1.el8.noarch.rpm.html.

I don’t personally know enough about SELinux to provide a recommendation here but I pinged the Fedora/EPEL maintainer who has been doing the most work on the Certbot packages lately about the problem at https://github.com/certbot/certbot/issues/4716#issuecomment-659590859.

@_az, thanks for flagging the renewal instructions. I opened https://github.com/certbot/website/pull/609 to fix the problem.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.