I'm rolling out some servers providing a graphical desktop, and everything is fine except this: our desktop software of choice is XRDP which needs a certificate. It ships with a self-signed one, but that gives warnings on the clients, so I'd much rather go with a FreeIPA managed one.
So after installing XRDP, I issue the command:
ipa-getcert request -f /etc/xrdp/cert.pem -k /etc/xrdp/key.pem -r -w
Problem is, this fails with SELinux enabled, because ipa-getcert is not permitted to write to /etc/xrdp.
Proposed solution 1: Use a better dir, the certificate and key are configured in /etc/xrdp/xrdp.conf so I'm guessing certs can reside anywhere. What's a good default one? Somewhere in /etc/pki?
Proposed solution 2: Make and install a SELinux policy that allows ipa-getcert to access that directory.
Searching a bit, I can see that the issue comes up on occasion, with other software packages such as Puppet etc.