Cloned from upstream: https://pagure.io/freeipa/issue/6788
A standard Custodia daemon can work with limited permission and as non-root user. However a ```ipa-custodia``` instance requires more privileges and access to very sensitive files in order to provide functionality for ```ipa-replica-install```. Therefore it must run as root user with a different SELinux context.
Custodia must be able to read:
* /run/httpd/ipa-custodia.sock UNIX socket bind
* /var/log/ipa-custodia.audit.log create and write
* /etc/ipa/custodia/server.keys CRUD
* /etc/ipa/custodia/* read
* /var/run/slapd-socket UNIX socket connect
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.