roles/ipaclient/library/ipaclient_setup_nss.py

@@ -152,6 +152,10 @@ options:
       The dist of nss_ldap or nss-pam-ldapd files if sssd is disabled
     required: yes
     type: dict
+  selinux_works:
+    description: True if selinux status check passed
+    required: false
+    type: bool
   krb_name:
     description: The krb5 config file name
     type: str
@@ -189,7 +193,7 @@ from ansible.module_utils.ansible_ipa_client import (
     CalledProcessError, tasks, client_dns, services,
     update_ssh_keys, save_state, configure_ldap_conf, configure_nslcd_conf,
     configure_openldap_conf, hardcode_ldap_server, getargspec, NUM_VERSION,
-    serialization
+    serialization, configure_selinux_for_client
 )
 
 
@@ -224,6 +228,7 @@ def main():
             no_dns_sshfp=dict(required=False, type='bool', default=False),
             nosssd_files=dict(required=True, type='dict'),
             krb_name=dict(required=True, type='str'),
+            selinux_works=dict(required=False, type='bool', default=False),
         ),
         supports_check_mode=False,
     )
@@ -274,6 +279,7 @@ def main():
     options.sssd = not options.no_sssd
     options.no_ac = False
     nosssd_files = module.params.get('nosssd_files')
+    selinux_works = module.params.get('selinux_works')
     krb_name = module.params.get('krb_name')
     os.environ['KRB5_CONFIG'] = krb_name
 
@@ -474,6 +480,9 @@ def main():
             logger.info("%s enabled", "SSSD" if options.sssd else "LDAP")
 
             if options.sssd:
+                if selinux_works and configure_selinux_for_client is not None:
+                    configure_selinux_for_client(statestore)
+
                 sssd = services.service('sssd', api)
                 try:
                     sssd.restart()

roles/ipaclient/library/ipaclient_test.py

@@ -226,6 +226,10 @@ nosssd_files:
   returned: always
   type: list
   elements: str
+selinux_works:
+  description: True if the selinux status check passed.
+  returned: always
+  type: bool
 '''
 
 import os
@@ -495,6 +499,8 @@ def main():
     #     not installer.no_krb5_offline_passwords
     installer.sssd = not installer.no_sssd
 
+    selinux_works = False
+
     try:
 
         # client
@@ -529,7 +535,7 @@ def main():
                 "You must be root to run ipa-client-install.",
                 rval=CLIENT_INSTALL_ERROR)
 
-        tasks.check_selinux_status()
+        selinux_works = tasks.check_selinux_status()
 
         # if is_ipa_client_installed(fstore, on_master=options.on_master):
         #     logger.error("IPA client is already configured on this system.")
@@ -971,7 +977,8 @@ def main():
                      ntp_pool=options.ntp_pool,
                      client_already_configured=client_already_configured,
                      ipa_python_version=IPA_PYTHON_VERSION,
-                     nosssd_files=nosssd_files)
+                     nosssd_files=nosssd_files,
+                     selinux_works=selinux_works)
 
 
 if __name__ == '__main__':

roles/ipaclient/module_utils/ansible_ipa_client.py

@@ -46,7 +46,8 @@ __all__ = ["gssapi", "version", "ipadiscovery", "api", "errors", "x509",
            "configure_nslcd_conf", "configure_ssh_config",
            "configure_sshd_config", "configure_automount",
            "configure_firefox", "sync_time", "check_ldap_conf",
-           "sssd_enable_ifp", "getargspec", "paths", "options",
+           "sssd_enable_ifp", "configure_selinux_for_client",
+           "getargspec", "paths", "options",
            "IPA_PYTHON_VERSION", "NUM_VERSION", "certdb", "get_ca_cert",
            "ipalib", "logger", "ipautil", "installer"]
 
@@ -302,6 +303,11 @@ try:
         except ImportError:
             sssd_enable_ifp = None
 
+        try:
+            from ipaclient.install.client import configure_selinux_for_client
+        except ImportError:
+            configure_selinux_for_client = None
+
         logger = logging.getLogger("ipa-client-install")
         root_logger = logger
 

roles/ipaclient/tasks/install.yml

@@ -384,6 +384,7 @@
               | default(ipasssd_no_krb5_offline_passwords) }}"
         no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
         nosssd_files: "{{ result_ipaclient_test.nosssd_files }}"
+        selinux_works: "{{ result_ipaclient_test.selinux_works }}"
         krb_name: "{{ result_ipaclient_temp_krb5.krb_name }}"
 
     - name: Install - Configure SSH and SSHD