Apparently it should be enough to create files in the correct directory to get the correct SELinux context. This means that it should not be necessary to call "restorecon". tl-ldap-certalias has 4 such calls, which could then be removed.
I belive this is not true, if tl-ldap-certalias hits a user which dont have a home directory it will create /home/<user>/.ssh and we need to restore context on that tree to get the correct context of both user dir and .ssh.
Some of these calls are probably necessary, but some are definitely not (e.g. for passwdaliases).