Hide Forgot
Hi Christian, Do you have any AVCs for this BZ? Or can we close it?
I haven't seen any AVC for Custodia. As far as I know the default SELinux rules just work.
# ps -efZ | grep custodia unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2398 11150 0 14:52 pts/0 00:00:00 grep --color=auto custodia # touch /etc/ipa/custodia/custodia.conf # service ipa-custodia start Redirecting to /bin/systemctl start ipa-custodia.service # service ipa-custodia status Redirecting to /bin/systemctl status ipa-custodia.service ● ipa-custodia.service - IPA Custodia Service Loaded: loaded (/usr/lib/systemd/system/ipa-custodia.service; disabled; vendor preset: disabled) Active: active (running) since Wed 2016-08-10 14:52:08 CEST; 2s ago Main PID: 2421 (custodia) CGroup: /system.slice/ipa-custodia.service └─2421 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custo... Aug 10 14:52:08 rhel71.localdomain systemd[1]: Started IPA Custodia Service. Aug 10 14:52:08 rhel71.localdomain systemd[1]: Starting IPA Custodia Service... Hint: Some lines were ellipsized, use -l to show in full. # ps -efZ | grep custodia system_u:system_r:unconfined_service_t:s0 root 2421 1 0 14:52 ? 00:00:00 /usr/bin/python2 /usr/sbin/custodia /etc/ipa/custodia/custodia.conf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 2439 11150 0 14:52 pts/0 00:00:00 grep --color=auto custodia # As I said, selinux-policy does not define any special domain for custodia, therefore it runs as unconfined_service_t.
For QA purposes: If /etc/ipa/custodia/custodia.conf is empty then ipa-custodia.sock gets created in /, which is not the right directory. Following config file example is better: # cat /etc/ipa/custodia/custodia.conf [global] server_socket = /run/httpd/ipa-custodia.sock # Switching to ASSIGNED because of comment#8.