Cloned from: https://pagure.io/freeipa/issue/9675

Cockpit can use GSSAPI authentication and has pretty good definition of how to enable it: https://cockpit-project.org/guide/latest/sso.html. These instructions work on IPA clients but they cannot be used on IPA servers because IPA framework already owns HTTP/.. Kerberos service and its keytab.

Luckily, there are two changes that need to be done to enable Cockpit single sign-on with GSSAPI on IPA servers:
- create a symlink `/etc/cockpit/krb5.keytab` to `/var/lib/ipa/gssproxy/http.keytab`
- add SELinux policy to allow `cockpit_session_t` to operate on `ipa_var_lib_t` files

No additional changes are needed. Note that Cockpit instructions above also talk about Kerberos service modifications to enable delegation. These modifications should not be done for IPA servers' HTTP services, as these services are already enabled to handle delegation.

This ticket should handle the SELinux policy addition. Adding a symlink should be left for administrators as an explicit action. For that we should contribute a documentation update to Cockpit.