diff --git a/roles/ipaclient/library/ipaclient_setup_nss.py b/roles/ipaclient/library/ipaclient_setup_nss.py index 0e8c658a2f593e123349633e62ca9669680b0b73..0bee3b5f890af4b3fcce7c3acc4204ac84393d13 100644 --- a/roles/ipaclient/library/ipaclient_setup_nss.py +++ b/roles/ipaclient/library/ipaclient_setup_nss.py @@ -152,6 +152,10 @@ options: The dist of nss_ldap or nss-pam-ldapd files if sssd is disabled required: yes type: dict + selinux_works: + description: True if selinux status check passed + required: false + type: bool krb_name: description: The krb5 config file name type: str @@ -189,7 +193,7 @@ from ansible.module_utils.ansible_ipa_client import ( CalledProcessError, tasks, client_dns, services, update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf, configure_openldap_conf, hardcode_ldap_server, getargspec, NUM_VERSION, - serialization + serialization, configure_selinux_for_client ) @@ -224,6 +228,7 @@ def main(): no_dns_sshfp=dict(required=False, type='bool', default=False), nosssd_files=dict(required=True, type='dict'), krb_name=dict(required=True, type='str'), + selinux_works=dict(required=False, type='bool', default=False), ), supports_check_mode=False, ) @@ -274,6 +279,7 @@ def main(): options.sssd = not options.no_sssd options.no_ac = False nosssd_files = module.params.get('nosssd_files') + selinux_works = module.params.get('selinux_works') krb_name = module.params.get('krb_name') os.environ['KRB5_CONFIG'] = krb_name @@ -474,6 +480,9 @@ def main(): logger.info("%s enabled", "SSSD" if options.sssd else "LDAP") if options.sssd: + if selinux_works and configure_selinux_for_client is not None: + configure_selinux_for_client(statestore) + sssd = services.service('sssd', api) try: sssd.restart() diff --git a/roles/ipaclient/library/ipaclient_test.py b/roles/ipaclient/library/ipaclient_test.py index 66dbf0923253f7ef963b97454789bdab2eef6aff..75970c584b0a5b2bc1b645759f2dde947e874515 100644 --- a/roles/ipaclient/library/ipaclient_test.py +++ b/roles/ipaclient/library/ipaclient_test.py @@ -226,6 +226,10 @@ nosssd_files: returned: always type: list elements: str +selinux_works: + description: True if the selinux status check passed. + returned: always + type: bool ''' import os @@ -495,6 +499,8 @@ def main(): # not installer.no_krb5_offline_passwords installer.sssd = not installer.no_sssd + selinux_works = False + try: # client @@ -529,7 +535,7 @@ def main(): "You must be root to run ipa-client-install.", rval=CLIENT_INSTALL_ERROR) - tasks.check_selinux_status() + selinux_works = tasks.check_selinux_status() # if is_ipa_client_installed(fstore, on_master=options.on_master): # logger.error("IPA client is already configured on this system.") @@ -971,7 +977,8 @@ def main(): ntp_pool=options.ntp_pool, client_already_configured=client_already_configured, ipa_python_version=IPA_PYTHON_VERSION, - nosssd_files=nosssd_files) + nosssd_files=nosssd_files, + selinux_works=selinux_works) if __name__ == '__main__': diff --git a/roles/ipaclient/module_utils/ansible_ipa_client.py b/roles/ipaclient/module_utils/ansible_ipa_client.py index 5853f6ba96586ff7bc4358ce1fa2c3cff74503f0..649679fbaa528a7fc7adbcce4cddcdeef89207d8 100644 --- a/roles/ipaclient/module_utils/ansible_ipa_client.py +++ b/roles/ipaclient/module_utils/ansible_ipa_client.py @@ -46,7 +46,8 @@ __all__ = ["gssapi", "version", "ipadiscovery", "api", "errors", "x509", "configure_nslcd_conf", "configure_ssh_config", "configure_sshd_config", "configure_automount", "configure_firefox", "sync_time", "check_ldap_conf", - "sssd_enable_ifp", "getargspec", "paths", "options", + "sssd_enable_ifp", "configure_selinux_for_client", + "getargspec", "paths", "options", "IPA_PYTHON_VERSION", "NUM_VERSION", "certdb", "get_ca_cert", "ipalib", "logger", "ipautil", "installer"] @@ -302,6 +303,11 @@ try: except ImportError: sssd_enable_ifp = None + try: + from ipaclient.install.client import configure_selinux_for_client + except ImportError: + configure_selinux_for_client = None + logger = logging.getLogger("ipa-client-install") root_logger = logger diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml index 2ee68c6603099475ebfaaf661213c27f8c4ee22b..b5eb71658ab35707ae0c281bd44b33731b38b44b 100644 --- a/roles/ipaclient/tasks/install.yml +++ b/roles/ipaclient/tasks/install.yml @@ -384,6 +384,7 @@ | default(ipasssd_no_krb5_offline_passwords) }}" no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}" nosssd_files: "{{ result_ipaclient_test.nosssd_files }}" + selinux_works: "{{ result_ipaclient_test.selinux_works }}" krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}" - name: Install - Configure SSH and SSHD