Adjusted RPM packaging to be avoid failed installs when selinux-policy version is not sufficient #2019
Conversation
|
community redhat packages for testing: |
|
proper filter !HUB, to get rhel 7,8,9,10 packages |
|
need ent packages for testing: |
craigcomstock
force-pushed
the
ent-12980/master
branch
3 times, most recently
from
57f6113 to
bf0846e
Compare
|
next try after polishing these prs up a bit |
|
core Makefile.am was broken. fixed now: |
craigcomstock
force-pushed
the
ent-12980/master
branch
from
bf0846e to
c9858c7
Compare
|
fixed path to label script: |
|
rebuild after fixing up label script |
craigcomstock
force-pushed
the
ent-12980/master
branch
from
c9858c7 to
b0b61f8
Compare
|
needed more fixing |
craigcomstock
requested review from
larsewi,
nickanderson and
vpodzime
and removed request for
nickanderson
|
I will do testing of these packages tomorrow. I suspect they will work as-designed. |
craigcomstock
force-pushed
the
ent-12980/master
branch
3 times, most recently
from
4dc0c12 to
6c520f7
Compare
…y version is not sufficient As a workaround, if the cfengine-enterprise selinux module fails to install we set binaries to unconfined domain with bin_t type. Ticket: ENT-12980 Changelog: title
craigcomstock
force-pushed
the
ent-12980/master
branch
from
6c520f7 to
190c974
Compare
|
Testing looks good. Let's give it a go: @cf-bottom jenkins with exotics please. Thanks. |
|
Alright, I triggered a build: (with exotics) Jenkins: https://ci.cfengine.com/job/pr-pipeline/13007/ Packages: http://buildcache.cfengine.com/packages/testing-pr/jenkins-pr-pipeline-13007/ |
|
more failures with time_based_vars as in cfengine/masterfiles#3074. Maybe that failing is a flake of running at a particular time of day? Let's retry without deployment tests: |
vpodzime
changed the title
vpodzime
left a comment
vpodzime
left a comment
There was a problem hiding this comment.
Looks good to me otherwise.
| Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ | ||
| Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@ | ||
| # Also we Recommend policycoreutils-python-utils as it contains semanage which is used by the fallback labeling script. | ||
| Recommends: policycoreutils-python-utils |
There was a problem hiding this comment.
Hmm, this will try to install policycoreutils-python-utils even to systems that have the desired version of selinux-policy. I'm not sure we can do this.
There was a problem hiding this comment.
Right! I was hopimg there was an alt way to set fcontext. Any ideas?
There was a problem hiding this comment.
I'm not aware of any. We would probably have to write something ourselves (based on libselinux) and make it part of our packages.
| and then restarting services with \ | ||
| \ | ||
| systemctl restart cfengine3" | ||
| cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \ |
There was a problem hiding this comment.
Preexisting, but I think warning: is more common than warning!, esp. now that we also have notice:. And maybe we should also add some info: messages telling the users what's happening?
4 participants
We have found that this requirement cannot be met in the field so we are investigating other ways to ensure the latest SELinux policy can be put in place during install.
Ticket: ENT-12980
Changelog: title
together
#2019
cfengine/core#5934