Add pam.d flags to maintain compatiblity with FreeIPA deployments.

[BlamKiwi]

Description

FreeIPA uses authselect to enforce various system policies, such as creating a home directory or enabling sudo support for users. dev-sec.os_hardening unconditionally overrides various system links such as:

• /etc/pam.d/rhel_auth.j2
• /etc/pam.d/password-auth
• /etc/pam.d/system-auth

This breaks FreeIPA, as the authselect tool expects the system to be in a particular state. This makes use of dev-sec-os_hardening tricky when used in conjunction with FreeIPA domain management.

Solution

Add additional flags to control this behaviour as FreeIPA assumes it has control over pam.d once deployed.

Alternatives

Add additional variables to supply a path that overrides the pam.d links.

Additional information

This is the output of sudo authselect enable-feature with-mkhomedir on a AlmaLinux 9.3 Server after joining a FreeIPA domain:

[error] Link [/etc/pam.d/system-auth] does not point to [/etc/authselect/system-auth]
[error] [/etc/pam.d/system-auth] was not created by authselect!
[error] Link [/etc/pam.d/password-auth] does not point to [/etc/authselect/password-auth]
[error] [/etc/pam.d/password-auth] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Unable to enable feature [17]: File exists