Bug 1434032 - Run ipa-custodia with custom SELinux context
Summary: Run ipa-custodia with custom SELinux context
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Petr Čech
Depends On:
TreeView+ depends on / blocked
Reported: 2017-03-20 15:18 UTC by Petr Vobornik
Modified: 2017-08-01 09:46 UTC (History)
8 users (show)

Fixed In Version: ipa-4.5.0-4.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2017-08-01 09:46:16 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Petr Vobornik 2017-03-20 15:18:04 UTC
Cloned from upstream: https://pagure.io/freeipa/issue/6788

A standard Custodia daemon can work with limited permission and as non-root user. However a ```ipa-custodia``` instance requires more privileges and access to very sensitive files in order to provide functionality for ```ipa-replica-install```. Therefore it must run as root user with a different SELinux context.

Custodia must be able to read:

* /etc/pki/pki-tomcat/alias
* /var/lib/ipa/ra-agent.pem
* /var/lib/ipa/ra-agent.key

Additional resources:

* /run/httpd/ipa-custodia.sock UNIX socket bind
* /var/log/ipa-custodia.audit.log create and write
* /etc/ipa/custodia/server.keys CRUD
* /etc/ipa/custodia/* read
* /var/run/slapd-socket UNIX socket connect

Comment 2 Petr Vobornik 2017-03-20 15:18:54 UTC
Upstream ticket:

Comment 10 errata-xmlrpc 2017-08-01 09:46:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.