Merge pull request freeipa#1207 from t-woerner/ipaclient_enable_SELin…

…ux_for_SSSD ipaclient: Enable SELinux for SSSD
rjeffman · Feb 7, 2024 · 03c65bd · 03c65bd
2 parents 1028f61 + e92db5c
commit 03c65bd
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 4 deletions.
diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py
@@ -152,6 +152,10 @@
       The dist of nss_ldap or nss-pam-ldapd files if sssd is disabled
     required: yes
     type: dict
+  selinux_works:
+    description: True if selinux status check passed
+    required: false
+    type: bool
   krb_name:
     description: The krb5 config file name
     type: str
@@ -189,7 +193,7 @@
     CalledProcessError, tasks, client_dns, services,
     update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
     configure_openldap_conf, hardcode_ldap_server, getargspec, NUM_VERSION,
-    serialization
+    serialization, configure_selinux_for_client
 )
 
 
@@ -224,6 +228,7 @@ def main():
             no_dns_sshfp=dict(required=False, type='bool', default=False),
             nosssd_files=dict(required=True, type='dict'),
             krb_name=dict(required=True, type='str'),
+            selinux_works=dict(required=False, type='bool', default=False),
         ),
         supports_check_mode=False,
     )
@@ -274,6 +279,7 @@ def main():
     options.sssd = not options.no_sssd
     options.no_ac = False
     nosssd_files = module.params.get('nosssd_files')
+    selinux_works = module.params.get('selinux_works')
     krb_name = module.params.get('krb_name')
     os.environ['KRB5_CONFIG'] = krb_name
 
@@ -474,6 +480,9 @@ def main():
             logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
 
             if options.sssd:
+                if selinux_works and configure_selinux_for_client is not None:
+                    configure_selinux_for_client(statestore)
+
                 sssd = services.service('sssd', api)
                 try:
                     sssd.restart()

diff --git a/roles/ipaclient/library/ipaclient_test.py b/roles/ipaclient/library/ipaclient_test.py
@@ -226,6 +226,10 @@
   returned: always
   type: list
   elements: str
+selinux_works:
+  description: True if the selinux status check passed.
+  returned: always
+  type: bool
 '''
 
 import os
@@ -495,6 +499,8 @@ def main():
     #     not installer.no_krb5_offline_passwords
     installer.sssd = not installer.no_sssd
 
+    selinux_works = False
+
     try:
 
         # client
@@ -529,7 +535,7 @@ def main():
                 "You must be root to run ipa-client-install.",
                 rval=CLIENT_INSTALL_ERROR)
 
-        tasks.check_selinux_status()
+        selinux_works = tasks.check_selinux_status()
 
         # if is_ipa_client_installed(fstore, on_master=options.on_master):
         #     logger.error("IPA client is already configured on this system.")
@@ -971,7 +977,8 @@ def main():
                      ntp_pool=options.ntp_pool,
                      client_already_configured=client_already_configured,
                      ipa_python_version=IPA_PYTHON_VERSION,
-                     nosssd_files=nosssd_files)
+                     nosssd_files=nosssd_files,
+                     selinux_works=selinux_works)
 
 
 if __name__ == '__main__':

diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py
@@ -46,7 +46,8 @@
            "configure_nslcd_conf", "configure_ssh_config",
            "configure_sshd_config", "configure_automount",
            "configure_firefox", "sync_time", "check_ldap_conf",
-           "sssd_enable_ifp", "getargspec", "paths", "options",
+           "sssd_enable_ifp", "configure_selinux_for_client",
+           "getargspec", "paths", "options",
            "IPA_PYTHON_VERSION", "NUM_VERSION", "certdb", "get_ca_cert",
            "ipalib", "logger", "ipautil", "installer"]
 
@@ -302,6 +303,11 @@ def configure_nisdomain(_options, domain, _statestore=None):
         except ImportError:
             sssd_enable_ifp = None
 
+        try:
+            from ipaclient.install.client import configure_selinux_for_client
+        except ImportError:
+            configure_selinux_for_client = None
+
         logger = logging.getLogger("ipa-client-install")
         root_logger = logger
 

diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
@@ -384,6 +384,7 @@
               | default(ipasssd_no_krb5_offline_passwords) }}"
         no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
         nosssd_files: "{{ result_ipaclient_test.nosssd_files }}"
+        selinux_works: "{{ result_ipaclient_test.selinux_works }}"
         krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
 
     - name: Install - Configure SSH and SSHD