Fix selinux denial during kdcproxy user creation

The home directory of the kdcproxy user is now properly owned by the package and no longer created by useradd. https://fedorahosted.org/freeipa/ticket/5135 Reviewed-By: Tomas Babej <tbabej@redhat.com>
2025-02-25 18:55:28 -06:00 · 2015-07-16 12:45:23 +02:00 · 2015-07-16 12:45:23 +02:00 · 0700d340c7
commit 0700d340c7
parent c6a1bd591e
1 changed files with 3 additions and 1 deletions
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins

 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
+mkdir -p %{buildroot}%{kdcproxy_home}
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf

@ -568,7 +569,7 @@ fi
 # create kdcproxy user
 getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
 getent passwd %{kdcproxy_user} >/dev/null || \
-    /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \
+    /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
    -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
 exit 0

@ -711,6 +712,7 @@ fi
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
+%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter