mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-22 23:23:30 -06:00
ipa-client-install: enable SELinux for SSSD
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Francisco Trivino <ftrivino@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
parent
2bc247d831
commit
d355761f23
@ -67,6 +67,7 @@ from ipapython.ipautil import (
|
||||
)
|
||||
from ipapython.ssh import SSHPublicKey
|
||||
from ipapython import version
|
||||
from ipapython.errors import SetseboolError
|
||||
|
||||
from . import automount, timeconf, sssd
|
||||
from ipaclient import discovery
|
||||
@ -98,6 +99,7 @@ cli_realm = None
|
||||
cli_kdc = None
|
||||
client_domain = None
|
||||
cli_basedn = None
|
||||
selinux_works = None
|
||||
# end of global variables
|
||||
|
||||
|
||||
@ -2153,6 +2155,7 @@ def install_check(options):
|
||||
global cli_kdc
|
||||
global client_domain
|
||||
global cli_basedn
|
||||
global selinux_works
|
||||
|
||||
print("This program will set up IPA client.")
|
||||
print("Version {}".format(version.VERSION))
|
||||
@ -2166,7 +2169,7 @@ def install_check(options):
|
||||
"You must be root to run ipa-client-install.",
|
||||
rval=CLIENT_INSTALL_ERROR)
|
||||
|
||||
tasks.check_selinux_status()
|
||||
selinux_works = tasks.check_selinux_status()
|
||||
|
||||
if is_ipa_client_configured(on_master=options.on_master):
|
||||
logger.error("IPA client is already configured on this system.")
|
||||
@ -2674,6 +2677,20 @@ def restore_time_sync(statestore, fstore):
|
||||
logger.error('Failed to restore time synchronization service: %s', e)
|
||||
|
||||
|
||||
def configure_selinux_for_client(statestore):
|
||||
def backup_state(key, value):
|
||||
statestore.backup_state('selinux', key, value)
|
||||
|
||||
try:
|
||||
tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_SSSD,
|
||||
backup_state)
|
||||
except SetseboolError as e:
|
||||
for c in constants.SELINUX_BOOLEAN_SSSD:
|
||||
if c in e.failed:
|
||||
logger.warning(
|
||||
"SELinux does not support SSSD boolean %s, ignoring", c)
|
||||
|
||||
|
||||
def install(options):
|
||||
try:
|
||||
_install(options, dict())
|
||||
@ -3198,6 +3215,9 @@ def _install(options, tdict):
|
||||
logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
|
||||
|
||||
if options.sssd:
|
||||
if selinux_works:
|
||||
configure_selinux_for_client(statestore)
|
||||
|
||||
sssd = services.service('sssd', api)
|
||||
try:
|
||||
sssd.restart()
|
||||
@ -3322,6 +3342,8 @@ def _install(options, tdict):
|
||||
|
||||
|
||||
def uninstall_check(options):
|
||||
global selinux_works
|
||||
|
||||
if not is_ipa_client_configured():
|
||||
if options.on_master:
|
||||
rval = SUCCESS
|
||||
@ -3337,6 +3359,8 @@ def uninstall_check(options):
|
||||
logger.info("Refer to ipa-server-install for uninstallation.")
|
||||
raise ScriptError(rval=CLIENT_NOT_CONFIGURED)
|
||||
|
||||
selinux_works = tasks.check_selinux_status()
|
||||
|
||||
|
||||
def uninstall(options):
|
||||
env = {'PATH': SECURE_PATH}
|
||||
@ -3600,6 +3624,15 @@ def uninstall(options):
|
||||
"Failed to disable automatic startup of the SSSD daemon: %s",
|
||||
e)
|
||||
|
||||
if was_sssd_installed and selinux_works:
|
||||
# Restore SELinux boolean states
|
||||
boolean_states = {name: statestore.restore_state('selinux', name)
|
||||
for name in constants.SELINUX_BOOLEAN_SSSD}
|
||||
try:
|
||||
tasks.set_selinux_booleans(boolean_states)
|
||||
except SetseboolError as e:
|
||||
logger.warning("Unable to reset SELinux variable: %s", str(e))
|
||||
|
||||
tasks.restore_hostname(fstore, statestore)
|
||||
|
||||
if fstore.has_files():
|
||||
|
@ -151,6 +151,9 @@ class BaseConstantsNamespace:
|
||||
'samba_share_nfs': 'on',
|
||||
},
|
||||
}
|
||||
SELINUX_BOOLEAN_SSSD = {
|
||||
'sssd_use_usb': 'on',
|
||||
}
|
||||
SELINUX_MCS_MAX = 1023
|
||||
SELINUX_MCS_REGEX = r"^c(\d+)([.,-]c(\d+))*$"
|
||||
SELINUX_MLS_MAX = 15
|
||||
|
Loading…
Reference in New Issue
Block a user