On 2015-07-16 12:51, Christian Heimes wrote:
> Hi,
> the patch fixes the SELinux denial for kdcproxy's home directory. I have
> successfully tested a migration from FreeIPA 4.1. The user, group and
> home directory are successfully created with the correct permissions.
> https://fedorahosted.org/freeipa/ticket/5135

I accidentally pushed the spec file fix for PKI. Here is the correct
patch for FreeIPA.

From 15060e7ae718b50c2fca21cad54a5d4835bbaeed Mon Sep 17 00:00:00 2001
From: Christian Heimes <chei...@redhat.com>
Date: Thu, 16 Jul 2015 12:45:23 +0200
Subject: [PATCH] Fix selinux denial during kdcproxy user creation

The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.

 freeipa.spec.in | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index bfc021618797109396892205fabff057be4bee32..fabfaee619d4cf0203b2f87d7fe804c2e72026f3 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
+mkdir -p %{buildroot}%{kdcproxy_home}
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
@@ -568,7 +569,7 @@ fi
 # create kdcproxy user
 getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
 getent passwd %{kdcproxy_user} >/dev/null || \
-    /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \
+    /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
     -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
 exit 0
@@ -711,6 +712,7 @@ fi
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
+%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter

Attachment: signature.asc
Description: OpenPGP digital signature

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to