Description of problem:
File permissions from the rpm do not match the runtime permissions on several
files. This results in mode failures on rpm -Va. Most noticed on systems in
which DISA STIG is being performed and file permissions should not be less than
the rpm provides or it is considered a finding during an audit. Important for
government users and contractors who will be performing DISA STIG.

Version-Release number of selected component (if applicable):
initscripts-9.49.46-1.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install and configure ipa server
2. rpm -V ipa-server-common

Actual results:
The following files have permissions that are more permissive than the rpm
provides:

/var/lib/ipa/pki-ca/publish
/var/lib/kdcproxy
/var/named/dyndb-ldap/ipa

Expected results:
The file permissions provided via rpm should match the final runtime
permissions (or they should be less restrictive on the rpm than the runtime
permissions, which would not result in a finding).

Additional info:
The following output shows what it "should be" according to the rpm, as well as
what it "actually is" after the package has been installed. This could be
resolved by using the proper permissions in the spec file, so that rpm -Va will
not flag on these files.

From rpm: ipa-server-common-4.6.4-10.el7_6.3.noarch
/var/lib/ipa/pki-ca/publish
SHOULD BE:  000
ACTUALLY IS:  775
--
From rpm: ipa-server-common-4.6.4-10.el7_6.3.noarch
/var/lib/kdcproxy
SHOULD BE:  000
ACTUALLY IS:  700
--
From rpm: ipa-server-common-4.6.4-10.el7_6.3.noarch
/var/named/dyndb-ldap/ipa
SHOULD BE:  000
ACTUALLY IS:  770