Adjusted RPM packaging to be avoid failed installs when selinux-policy version is not sufficient

We have two fallback strategies:
1) try to install a cfengine-enterprise-unconfined selinux module
2) instruct user to install semanage and run label-binaries-unconfined.sh script

Ticket: ENT-12980
Changelog: title
(cherry picked from commit 190c974)

Author: craigcomstock

packaging/cfengine-community/cfengine-community.spec.in

@@ -138,6 +138,7 @@ rm -rf $RPM_BUILD_ROOT/usr/lib/systemd/system/cf-postgres.service
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts

packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in

@@ -27,6 +27,7 @@ Requires(post): /usr/sbin/usermod, /bin/sed
 Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
+
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
 %if %{?rhel}%{!?rhel:0} == 8
 Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
@@ -354,6 +355,10 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/cfengine-enterprise-unconfined.pp
+%prefix/selinux/cfengine-enterprise-unconfined.te
+%prefix/selinux/cfengine-enterprise-unconfined.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Documentation

packaging/cfengine-nova/cfengine-nova.spec.in

@@ -162,6 +162,10 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/cfengine-enterprise-unconfined.pp
+%prefix/selinux/cfengine-enterprise-unconfined.te
+%prefix/selinux/cfengine-enterprise-unconfined.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts

packaging/common/cfengine-hub/postinstall.sh

@@ -6,22 +6,19 @@ then
   if command -v /usr/sbin/selinuxenabled >/dev/null &&
       /usr/sbin/selinuxenabled;
   then
-    command -v semodule >/dev/null || cf_console echo "warning! selinuxenabled exists and returns 0 but semodule not found"
-    test -x /usr/sbin/load_policy  || cf_console echo "warning! selinuxenabled exists and returns 0 but load_policy not found"
-    test -x /usr/sbin/restorecon   || cf_console echo "warning! selinuxenabled exists and returns 0 but restorecon not found"
+    command -v semodule >/dev/null || cf_console echo "warning: selinuxenabled exists and returns 0 but semodule not found"
+    test -x /usr/sbin/load_policy  || cf_console echo "warning: selinuxenabled exists and returns 0 but load_policy not found"
+    test -x /usr/sbin/restorecon   || cf_console echo "warning: selinuxenabled exists and returns 0 but restorecon not found"
   fi
   if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then
-    cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \
-consider installing selinux-policy-devel package and \
-rebuilding policy with: \
-\
-cd $PREFIX/selinux \
-make -f /usr/share/selinux/devel/Makefile -j1 \
-semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \
-\
-and then restarting services with  \
-\
-systemctl restart cfengine3"
+    cf_console echo "warning: cfengine-enterprise semodule install failed, will attempt to install cfengine-enterprise-unconfined instead. \
+The install failure should be examined in /var/log/CFEngine-Install.log and any issues reported as bugs at https://northerntech.atlassian.net/jira/software/c/projects/CFE/issues/."
+
+    if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise-unconfined.pp"; then
+      cf_console echo "warning: cfengine-enterprise-unconfined semodule failed to install. As a last attempt you can install the semanage program (probably policycoreutils-python-utils package) and run $PREFIX/selinux/label-binaries-unconfined.sh."
+    else
+      cf_console echo "info: cfengine-enterprise-unconfined semodule is installed. This allows CFEngine binaries to run unconfined which is not ideal. Please report issues with default cfengine-enterprise selinux module."
+    fi
   fi
   if /usr/sbin/selinuxenabled; then
     /usr/sbin/load_policy
@@ -33,7 +30,7 @@ if [ -x /bin/systemctl ]; then
   # This is important in case any of the units have been replaced by the package
   # and we call them in the postinstall script.
   if ! /bin/systemctl daemon-reload; then
-    cf_console echo "warning! /bin/systemctl daemon-reload failed."
+    cf_console echo "warning: /bin/systemctl daemon-reload failed."
     cf_console echo "systemd seems to be installed, but not working."
     cf_console echo "Relevant parts of CFEngine installation will fail."
     cf_console echo "Please fix systemd or use other ways to start CFEngine."

packaging/common/cfengine-non-hub/postinstall.sh

@@ -2,7 +2,7 @@ if [ -x /bin/systemctl ]; then
   # This is important in case any of the units have been replaced by the package
   # and we call them in the postinstall script.
   if ! /bin/systemctl daemon-reload; then
-    cf_console echo "warning! /bin/systemctl daemon-reload failed."
+    cf_console echo "warning: /bin/systemctl daemon-reload failed."
     cf_console echo "systemd seems to be installed, but not working."
     cf_console echo "Relevant parts of CFEngine installation will fail."
     cf_console echo "Please fix systemd or use other ways to start CFEngine."
@@ -120,23 +120,20 @@ then
   if command -v /usr/sbin/selinuxenabled >/dev/null &&
       /usr/sbin/selinuxenabled;
   then
-    command -v semodule >/dev/null || cf_console echo "warning! selinux exists and returns 0 but semodule not found"
-    test -x /usr/sbin/load_policy  || cf_console echo "warning! selinuxenabled exists and returns 0 but load_policy not found"
-    test -x /usr/sbin/restorecon   || cf_console echo "warning! selinuxenabled exists and returns 0 but restorecon not found"
+    command -v semodule >/dev/null || cf_console echo "warning: selinux exists and returns 0 but semodule not found"
+    test -x /usr/sbin/load_policy  || cf_console echo "warning: selinuxenabled exists and returns 0 but load_policy not found"
+    test -x /usr/sbin/restorecon   || cf_console echo "warning: selinuxenabled exists and returns 0 but restorecon not found"
 
   fi
   if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then
-    cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \
-consider installing selinux-policy-devel package and \
-rebuilding policy with: \
-\
-cd $PREFIX/selinux \
-make -f /usr/share/selinux/devel/Makefile -j1 \
-semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \
-\
-and then restarting services with  \
-\
-systemctl restart cfengine3"
+    cf_console echo "warning: cfengine-enterprise semodule install failed, will attempt to install cfengine-enterprise-unconfined instead. \
+The install failure should be examined in /var/log/CFEngine-Install.log and any issues reported as bugs at https://northerntech.atlassian.net/jira/software/c/projects/CFE/issues/."
+
+    if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise-unconfined.pp"; then
+      cf_console echo "warning: cfengine-enterprise-unconfined semodule failed to install. As a last attempt you can install the semanage program (probably policycoreutils-python-utils package) and run $PREFIX/selinux/label-binaries-unconfined.sh."
+    else
+      cf_console echo "info: cfengine-enterprise-unconfined semodule is installed. This allows CFEngine binaries to run unconfined which is not ideal. Please report issues with default cfengine-enterprise selinux module."
+    fi
   fi
   if /usr/sbin/selinuxenabled; then
     /usr/sbin/load_policy