Fix selinux denial during kdcproxy user creation

The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.

https://fedorahosted.org/freeipa/ticket/5135

Reviewed-By: Tomas Babej <tbabej@redhat.com>

1 files changed, 3 insertions, 1 deletions

diff --git a/freeipa.spec.in b/freeipa.spec.in
index bfc021618..fabfaee61 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -469,6 +469,7 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
 
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
+mkdir -p %{buildroot}%{kdcproxy_home}
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
 install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
 
@@ -568,7 +569,7 @@ fi
 # create kdcproxy user
 getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
 getent passwd %{kdcproxy_user} >/dev/null || \
-    /usr/sbin/useradd -r -m -c "IPA KDC Proxy User" -s /sbin/nologin \
+    /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
     -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
 exit 0
 
@@ -711,6 +712,7 @@ fi
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
+%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter