Add SELinux module checking to hsm_validator

Don't blow up if the expected module is not installed but warn about it. Hopefully users will actually read the output and/or the installation log. This is done by looking for strings in the path. Not great but it's at least something. Related: https://pagure.io/freeipa/issue/9273 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2025-02-25 18:55:28 -06:00 · 2024-04-29 16:35:00 -04:00 · 2024-04-29 16:35:00 -04:00 · c861ce5a16
commit c861ce5a16
parent 6b6c1879c5
1 changed files with 17 additions and 0 deletions
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@ -246,6 +246,23 @@ def hsm_validator(token_name, token_library, token_password):
                raise ValueError(
                    "Validating HSM password failed: %s" % result.error_output
                )
+        # validate that the appropriate SELinux module is installed
+        # Only warn in case the expected paths don't match.
+        if 'nfast' in token_library:
+            module = 'ipa-selinux-nfast'
+        elif 'luna' in token_library:
+            module = 'ipa-selinux-nfast'
+        else:
+            module = None
+        if module:
+            args = [paths.SEMODULE, "-l"]
+            result = ipautil.run(args, cwd=tempnssdb.secdir,
+                                 capture_output=True, raiseonerr=False)
+            if module not in result.output:
+                logger.info('\nWARNING: The associated SELinux module ,%s, '
+                            'for this HSM was not detected.\nVerify '
+                            'that the appropriate subpackage is installed '
+                            'for this HSM\n', module)


 def set_subject_base_in_config(subject_base):