the patch fixes the SELinux denial for kdcproxy's home directory. I have
successfully tested a migration from FreeIPA 4.1. The user, group and
home directory are successfully created with the correct permissions.


From a67beee26511750e73b0132f08683bcab8a26c76 Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Wed, 15 Jul 2015 21:49:16 +0200
Subject: [PATCH] Create pkiuser user and group during installation

The group 'pkiuser' and user 'pkiuser' are now created during the
installation of the pki-server package.

 specs/pki-core.spec | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/specs/pki-core.spec b/specs/pki-core.spec
index 148c90734a0103b21b3d3984586d42bc3da3cede..6ac51d85efcf49a4e69cd4fe70709a9e1fc9bb84 100644
--- a/specs/pki-core.spec
+++ b/specs/pki-core.spec
@@ -30,6 +30,13 @@ distutils.sysconfig import get_python_lib; print(get_python_lib(1))")}
 # REMINDER:  Remove this '%%define' once 'tpsclient' is rewritten as a Java app
 %define _unpackaged_files_terminate_build 0
+# pkiuser and group. The uid and gid are preallocated
+# see /usr/share/doc/setup/uidgid
+%define pki_username pkiuser
+%define pki_uid 17
+%define pki_groupname pkiuser
+%define pki_gid 17
+%define pki_homedir /usr/share/pki
 Name:             pki-core
 Version:          10.2.6
@@ -395,6 +402,7 @@ Requires:         velocity
 Requires(post):   systemd-units
 Requires(preun):  systemd-units
 Requires(postun): systemd-units
+Requires(pre):    shadow-utils
 %if 0%{?rhel}
 Requires:    tomcatjss >= 7.1.0-6
@@ -727,6 +735,17 @@ if (test("/etc/sysconfig/pki/ca") or
+%pre -n pki-server
+getent group %{pki_groupname} >/dev/null || groupadd -f -g %{pki_gid} -r %{pki_groupname}
+if ! getent passwd %{pki_username} >/dev/null ; then
+    if ! getent passwd %{pki_uid} >/dev/null ; then
+      useradd -r -u %{pki_uid} -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
+    else
+      useradd -r -g %{pki_groupname} -d %{pki_homedir} -s /sbin/nologin -c "Certificate System" %{pki_username}
+    fi
+exit 0
 %post -n pki-base
 if [ $1 -eq 1 ]

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to