Show Table of Contents
13.11. Configuring POSIX System ACLs
POSIX system access control rules provide finer granularity over system user permissions. These ACLs must be set for each instance after it is fully configured. For more details on ACLs, see the corresponding chapter in the Red Hat Enterprise Linux Storage Administration Guide.
13.11.1. Setting POSIX System ACLs for the CA, KRA, OCSP, TKS, and TPS
Modern file systems like ext4 and XFS enable ACLs by default, and are most likely used on modern Red Hat Enterprise Linux installations.
- Stop the instance.
systemctl stop pki-tomcatd@instance_name.service
- Set the group readability to the pkiadmin group for the instance's directories and files.
# setfacl -R -L -m g:pkiadmin:r,d:g:pkiadmin:r /var/lib/pki/instance_name
- Apply execute (x) ACL permissions on all directories:
# find -L /var/lib/pki/instance_name -type d -exec setfacl -L -n -m g:pkiadmin:rx,d:g:pkiadmin:rx {} \; - Remove group readability for the pkiadmin group from the instance's signedAudit/ directory and its associated files:
# setfacl -R -L -x g:pkiadmin,d:g:pkiadmin /var/lib/pki/instance_name/logs/signedAudit
- Set group readability for the pkiaudit group for the instance's signedAudit/ directory and its associated files:
# setfacl -R -L -m g:pkiaudit:r,d:g:pkiaudit:r /var/lib/pki/instance_name/logs/signedAudit
- Re-apply execute (x) ACL permissions on the signedAudit/ directory and all of its subdirectories:
# find -L /var/lib/pki/instance_name/logs/signedAudit -type d -exec setfacl -L -n -m g:pkiaudit:rx,d:g:pkiaudit:rx {} \; - Start the instance.
systemctl start pki-tomcatd@instance_name.service
- Confirm that the file access controls were properly applied by using the
getfaclcommand to show the current ACL settings:# getfacl /var/lib/pki/instance_name /var/lib/pki/instance_name/logs/signedAudit/ getfacl: Removing leading '/' from absolute path names # file: var/lib/pki/instance_name # owner: pkiuser # group: pkiuser user::rwx group::rwx group:pkiadmin:r-x mask::rwx other::r-x default:user::rwx default:group::rwx default:group:pkiadmin:r-x default:mask::rwx default:other::r-x # file: var/lib/pki/instance_name/logs/signedAudit # owner: pkiuser # group: pkiaudit user::rwx group::rwx group:pkiaudit:r-x mask::rwx other::--- default:user::rwx default:group::rwx default:group:pkiaudit:r-x default:mask::rwx default:other::---
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.