Reporting more selinux borkage. (to remember main selinux feature is commands
executed from root shell work differently from commands run by cron
or sshd & co. Clearly this is introduced to simplify testing stuff).

This time, broken is letsencrypt certificate renewal using certbot.

"certbot renew" works just fine from command line, but not from
a cron job: selinux prevents httpd access to files /var/lib/letsencrypt.

(BTW, the certbot packages does not even include any cron jobs,
"manual automatic renewal", please patent it quick!)

Bug reports for this:

https://community.letsencrypt.org/t/certbot-via-cron-writes-files-unreadable-by-apache-selinux-centos-7/24792
(auto-closed after 30 days, no old stale bugs in that operation!)

https://bugzilla.redhat.com/show_bug.cgi?id=1385167
https://bugzilla.redhat.com/show_bug.cgi?id=1377312

Since I will learn selinux after I learn ldap after our current high-priority
project ships to CERN in September, I do not see any solution other than disabling
selinux until this is fixed (presumably by the EPEL package certbot incuding
correct selinux policy kludges). BTW, on the machines where selinux is disabled
due to the ZFS bug, letsencrypt renewal works just fine.


-- 
Konstantin Olchanski
Data Acquisition Systems: The Bytes Must Flow!
Email: olchansk-at-triumf-dot-ca
Snail mail: 4004 Wesbrook Mall, TRIUMF, Vancouver, B.C., V6T 2A3, Canada