Bug 1802471

The SELinux policy for ipa-custodia is now shipped in IPA 4.8 upstream and part of the "ipa" SELinux module. The next update of IPA will deliver a policy for ipa-custoda on RHEL 8.3.

https://pagure.io/freeipa/c/a55a722237b2d32c55eddddfb9c753c06e1eb5ee

Reproducer:

[root@ci-vm-10-0-139-99 ~]# ps axZ | grep custodia
system_u:system_r:unconfined_service_t:s0 8820 ? Ss     0:00 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 12619 pts/0 R+   0:00 grep --color=auto custodia
[root@ci-vm-10-0-139-99 ~]# rpm -q ipa-server ipa-server-dns
ipa-server-4.8.4-7.module+el8.2.0+6046+aaa49f96.x86_64
ipa-server-dns-4.8.4-7.module+el8.2.0+6046+aaa49f96.noarch





Verification :

Builds used for verification

ipa-client-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
ipa-client-common-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-common-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-healthcheck-0.4-4.module+el8.2.0+5489+95477d9f.noarch
ipa-healthcheck-core-0.4-4.module+el8.2.0+5489+95477d9f.noarch
ipa-selinux-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-server-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
ipa-server-common-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-server-dns-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
ipa-server-trust-ad-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64



[root@ci-vm-10-0-136-51 ~]# ps axZ | grep custodia
system_u:system_r:ipa_custodia_t:s0 9147 ?       Ss     0:00 /usr/libexec/platform-python -I /usr/libexec/ipa/ipa-custodia /etc/ipa/custodia/custodia.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 13018 pts/0 R+   0:00 grep --color=auto custodia
[root@ci-vm-10-0-136-51 ~]# rpm -q ipa-server ipa-server-dns
ipa-server-4.8.7-8.module+el8.3.0+7513+a375844a.x86_64
ipa-server-dns-4.8.7-8.module+el8.3.0+7513+a375844a.noarch
[root@ci-vm-10-0-136-51 ~]# 


Replica installation successful

Configured /etc/openldap/ldap.conf
Configured /etc/ssh/ssh_config
Configured /etc/ssh/sshd_config
Configuring testrealm.test as NIS domain.
Client configuration complete.
The ipa-client-install command was successful
Lookup failed: Preferred host replica.testrealm.test does not provide DNS.
Reverse DNS resolution of address 10.0.106.89 (replica.testrealm.test) failed. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.)
Replica DNS records could not be added on master: Insufficient access: Insufficient 'add' privilege to add the entry 'idnsname=replica,idnsname=testrealm.test.,cn=dns,dc=testrealm,dc=test'.
Nothing to do for configure_httpd_wsgi_conf
Custodia uses 'master.testrealm.test' as master peer.
dnssec-validation yes
created new /etc/named.conf
created named user config '/etc/named/ipa-ext.conf'
created named user config '/etc/named/ipa-options-ext.conf'
DNSSEC container exists (step skipped)
The ipa-replica-install command was successful

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4670