ipaclient: Enable SELinux for SSSD

This is "ipa-client-install: enable SELinux for SSSD" https://github.com/freeipa/freeipa/pull/6978 for ansible-freeipa: For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434
2026-05-13 13:02:00 +00:00 · 2024-02-06 14:39:19 +01:00
parent 1028f61b6c
commit e92db5c5cd
4 changed files with 27 additions and 4 deletions
--- a/roles/ipaclient/module_utils/ansible_ipa_client.py
+++ b/roles/ipaclient/module_utils/ansible_ipa_client.py
@@ -46,7 +46,8 @@ __all__ = ["gssapi", "version", "ipadiscovery", "api", "errors", "x509",
           "configure_nslcd_conf", "configure_ssh_config",
           "configure_sshd_config", "configure_automount",
           "configure_firefox", "sync_time", "check_ldap_conf",
-           "sssd_enable_ifp", "getargspec", "paths", "options",
+           "sssd_enable_ifp", "configure_selinux_for_client",
+           "getargspec", "paths", "options",
           "IPA_PYTHON_VERSION", "NUM_VERSION", "certdb", "get_ca_cert",
           "ipalib", "logger", "ipautil", "installer"]

@@ -302,6 +303,11 @@ try:
        except ImportError:
            sssd_enable_ifp = None

+        try:
+            from ipaclient.install.client import configure_selinux_for_client
+        except ImportError:
+            configure_selinux_for_client = None
+
        logger = logging.getLogger("ipa-client-install")
        root_logger = logger