| Summary: | SELinux policy (daemons) changes required for package: custodia | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Eng Ops Maitai User <engops-maitai> | |
| Component: | custodia | Assignee: | Christian Heimes <cheimes> | |
| Status: | CLOSED WONTFIX | QA Contact: | Namita Soman <nsoman> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | medium | |||
| Version: | 8.3 | CC: | cheimes, frenaud, jpazdziora, ksiddiqu, lmiksik, lvrabec, mmalik, pcech, plautrba, pvoborni, pvrabec, ssekidde | |
| Target Milestone: | rc | |||
| Target Release: | 8.2 | |||
| Hardware: | All | |||
| OS: | Linux | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1331275 (view as bug list) | Environment: | ||
| Last Closed: | 2020-02-13 09:07:31 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 1206288, 1331275, 1425352 | |||
|
Comment 3
Lukas Vrabec
2016-06-15 11:14:27 UTC
I haven't seen any AVC for Custodia. As far as I know the default SELinux rules just work. # ps -efZ | grep custodia
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2398 11150 0 14:52 pts/0 00:00:00 grep --color=auto custodia
# touch /etc/ipa/custodia/custodia.conf
# service ipa-custodia start
Redirecting to /bin/systemctl start ipa-custodia.service
# service ipa-custodia status
Redirecting to /bin/systemctl status ipa-custodia.service
● ipa-custodia.service - IPA Custodia Service
Loaded: loaded (/usr/lib/systemd/system/ipa-custodia.service; disabled; vendor preset: disabled)
Active: active (running) since Wed 2016-08-10 14:52:08 CEST; 2s ago
Main PID: 2421 (custodia)
CGroup: /system.slice/ipa-custodia.service
└─2421 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custo...
Aug 10 14:52:08 rhel71.localdomain systemd[1]: Started IPA Custodia Service.
Aug 10 14:52:08 rhel71.localdomain systemd[1]: Starting IPA Custodia Service...
Hint: Some lines were ellipsized, use -l to show in full.
# ps -efZ | grep custodia
system_u:system_r:unconfined_service_t:s0 root 2421 1 0 14:52 ? 00:00:00 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custodia.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2439 11150 0 14:52 pts/0 00:00:00 grep --color=auto custodia
#
As I said, selinux-policy does not define any special domain for custodia, therefore it runs as unconfined_service_t.
For QA purposes: If /etc/ipa/custodia/custodia.conf is empty then ipa-custodia.sock gets created in /, which is not the right directory. Following config file example is better: # cat /etc/ipa/custodia/custodia.conf [global] server_socket = /run/httpd/ipa-custodia.sock # Switching to ASSIGNED because of comment#8. |