Hi,
these 3 patches remove the old approach where we directly wrote the selinux login file. Here, the same approach is used as in the tools (sss_useradd/sss_usermod) where we already use libsemanage to manage these tasks.
The advantage is that we remove some lines of code (yay!) and get the auditing of selinux user changes for free.
1st patch just moves stuff around, so that set_seuser function can be used from IPA provider.
2nd patch is a very simple change that adds new attribute to the set_seuser function (mls_range).
The main functionality is in the 3rd patch. Note that to test the patch, you must run in permissive mode. $ setenforce Permissive
Otherwise you will get AVC denials (because sssd_be is not allowed to use libsemanage).
So we will have to change the selinux policy in fedora/rhel to make it work this way. I will ping the selinux policy maintainer after the patches are reviewed.
Patches are attached.
Thanks, Michal