Adjusted RPM packaging to be avoid failed installs when selinux-policy version is not sufficient

craigcomstock · craigcomstock · commit b0b61f8e5c1a · 2025-11-12T15:14:12.000-06:00
As a workaround, if the cfengine-enterprise selinux module fails to install we set binaries to unconfined domain with bin_t type. Ticket: ENT-12980 Changelog: title
diff --git a/packaging/cfengine-community/cfengine-community.spec.in b/packaging/cfengine-community/cfengine-community.spec.in
@@ -17,10 +17,11 @@ Requires: coreutils
 Recommends: gzip
 %endif
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
 AutoReqProv: no
@@ -147,6 +148,7 @@ done
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts
diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in
@@ -25,12 +25,14 @@ Recommends: gzip
 Requires(pre): /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
 Requires(post): /usr/sbin/usermod, /bin/sed
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
+
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
 %if %{?rhel}%{!?rhel:0} == 8
 Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
@@ -413,6 +415,7 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Documentation
diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in
@@ -17,10 +17,11 @@ Requires: coreutils
 Recommends: gzip
 %endif
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
 # We don't bundle OpenSSL on RHEL >= 8 and SuSE >= 15
@@ -173,6 +174,7 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts
diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh
@@ -11,17 +11,15 @@ then
     test -x /usr/sbin/restorecon   || cf_console echo "warning! selinuxenabled exists and returns 0 but restorecon not found"
   fi
   if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then
-    cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \
-consider installing selinux-policy-devel package and \
-rebuilding policy with: \
-\
-cd $PREFIX/selinux \
-make -f /usr/share/selinux/devel/Makefile -j1 \
-semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \
-\
-and then restarting services with  \
-\
-systemctl restart cfengine3"
+    cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \
+The semodule import failure should be examined in /var/log/CFE*log and reported so that properly confined CFEngine can be setup."
+    if ! command -v semodule; then
+      cf_console echo "warning! semodule import failed and semodule command is not available. Please install the package policycoreutils and run $PREFIX/selinux/label-binaries-unconfined.sh manually immediately after install and restart services with systemctl restart cfengine3."
+    else
+      if ! "$PREFIX"/selinux/label-binaries-unconfined.sh "$PREFIX"; then
+        cf_console echo "warning! fallback to label all binaries unconfined has failed. CFEngine may not properly operate with selinux set to enforcing."
+      fi
+    fi
   fi
   if /usr/sbin/selinuxenabled; then
     /usr/sbin/load_policy
diff --git a/packaging/common/cfengine-non-hub/postinstall.sh b/packaging/common/cfengine-non-hub/postinstall.sh
@@ -127,17 +127,15 @@ then
 
   fi
   if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then
-    cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \
-consider installing selinux-policy-devel package and \
-rebuilding policy with: \
-\
-cd $PREFIX/selinux \
-make -f /usr/share/selinux/devel/Makefile -j1 \
-semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \
-\
-and then restarting services with  \
-\
-systemctl restart cfengine3"
+    cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \
+The semodule import failure should be examined in /var/log/CFE*log and reported so that properly confined CFEngine can be setup."
+    if ! command -v semodule; then
+      cf_console echo "warning! semodule import failed and semodule command is not available. Please install the package policycoreutils and run $PREFIX/selinux/label-binaries-unconfined.sh manually immediately after install and restart services with systemctl restart cfengine3."
+    else
+      if ! "$PREFIX"/selinux/label-binaries-unconfined.sh "$PREFIX"; then
+        cf_console echo "warning! fallback to label all binaries unconfined has failed. CFEngine may not properly operate with selinux set to enforcing."
+      fi
+    fi
   fi
   if /usr/sbin/selinuxenabled; then
     /usr/sbin/load_policy
