In order to test these patches properly, you need to be running the latest patches that are currently on review on freeipa-devel. Ping me off-line for access to such IPA client.
[PATCH 1/2] DB: Always write the SELinux object to sysdb This is a fallout of the transaction processing refactoring.
There's no point in checking if the object already exists because we always wipe the whole sysdb subtree. We were also immediatelly cancelling the transaction because we'd jump to goto, even though it was with EOK.
[PATCH 2/2] SELinux: Always use the default if it exists on the server
https://fedorahosted.org/sssd/ticket/1513
This is a counterpart of the FreeIPA ticket https://fedorahosted.org/freeipa/ticket/3045
During an e-mail discussion, it was decided that
* if the default is set in the IPA config object, the SSSD would use that default no matter what * if the default is not set (aka empty or missing), the SSSD would just use the system default and skip creating the login file altogether