New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ipa-client-install: enable SELinux for SSSD #6978
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just have one concern, added a comment, otherwise LGTM.
This addresses well the passkeys on client side. Since this is the client we don't have issues with upgrade path.
|
||
try: | ||
tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_SSSD, | ||
backup_state) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be statestore.backup_state?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no. The task expects a function that is provided by the installation service which calls into statestore.backup_state()
. See ipaserver/install/service.py:Service.backup_state()
:
def backup_state(self, key, value):
self.sstore.backup_state(self.service_name, key, value)
The selinux state is not restored on uninstall. Since the new SSSD boolean wasn't available I picked a random one that was off, in this case xdm_write_home. Uninstall fails because the [selinux] section remains in sysrestore.state:
|
thanks. I added |
What we do in other places that SELinux is restored is this: this example is from ipa_client_samba.py.
or similar in httpinstance.py
|
That's exactly what my original code did. |
I pushed the original code. |
ipaclient/install/client.py
Outdated
tasks.set_selinux_booleans(boolean_states) | ||
except SetseboolError as e: | ||
logger.warning("Unable to reset SELinux variable: %s", str(e)) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok I got the original failure reason wrong, in a way. This code needs to be moved (I moved it to 3627 in my testing). Right now it is conditioned on the state of whether SSSD was pre-configured. I think this SELinux code is independent of that.
With moving the code the original boolean values are restored and sysrestore.state removed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I moved it out and conditioned on was_sssd_installed and selinux_works
becase that's what we did when enabling the booleans (if sssd: ... if selinux_works: ..
).
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Thanks, changes look good. |
master:
|
This is "ipa-client-install: enable SELinux for SSSD" freeipa/freeipa#6978 for ansible-freeipa: For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean.
Fixes: https://pagure.io/freeipa/issue/9434