Red Hat Bugzilla – Bug 1434032
Run ipa-custodia with custom SELinux context
Last modified: 2017-08-01 05:46:16 EDT
Cloned from upstream: https://pagure.io/freeipa/issue/6788 A standard Custodia daemon can work with limited permission and as non-root user. However a ```ipa-custodia``` instance requires more privileges and access to very sensitive files in order to provide functionality for ```ipa-replica-install```. Therefore it must run as root user with a different SELinux context. Custodia must be able to read: * /etc/pki/pki-tomcat/alias * /var/lib/ipa/ra-agent.pem * /var/lib/ipa/ra-agent.key Additional resources: * /run/httpd/ipa-custodia.sock UNIX socket bind * /var/log/ipa-custodia.audit.log create and write * /etc/ipa/custodia/server.keys CRUD * /etc/ipa/custodia/* read * /var/run/slapd-socket UNIX socket connect
Upstream ticket: https://pagure.io/freeipa/issue/6788
Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/403263df7a3be61086c87c5577698cf32a912065 master: https://pagure.io/freeipa/c/f5bf5466eda0de2a211b4f2682e5c50b82577701
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304