From b0b61f8e5c1ad1ff4467b577dbec527a94290efa Mon Sep 17 00:00:00 2001 From: Craig Comstock Date: Mon, 3 Nov 2025 16:18:13 -0600 Subject: [PATCH] Adjusted RPM packaging to be avoid failed installs when selinux-policy version is not sufficient As a workaround, if the cfengine-enterprise selinux module fails to install we set binaries to unconfined domain with bin_t type. Ticket: ENT-12980 Changelog: title --- .../cfengine-community.spec.in | 8 +++++--- .../cfengine-nova-hub.spec.in | 9 ++++++--- packaging/cfengine-nova/cfengine-nova.spec.in | 8 +++++--- packaging/common/cfengine-hub/postinstall.sh | 20 +++++++++---------- .../common/cfengine-non-hub/postinstall.sh | 20 +++++++++---------- 5 files changed, 34 insertions(+), 31 deletions(-) diff --git a/packaging/cfengine-community/cfengine-community.spec.in b/packaging/cfengine-community/cfengine-community.spec.in index 293d8d2ad..c7ab7a169 100644 --- a/packaging/cfengine-community/cfengine-community.spec.in +++ b/packaging/cfengine-community/cfengine-community.spec.in @@ -17,10 +17,11 @@ Requires: coreutils Recommends: gzip %endif -# we require selinux-policy package version that matches or exceeds our build system version -# this guarantees that our compiled selinux policy will work. +# We add a recommends for the selinux-policy package version that matches or exceeds our build system version. +# This increases the likelihood that our compiled selinux policy will work. +# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version. %if %{?rhel}%{!?rhel:0} >= 8 -Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ +Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif AutoReqProv: no @@ -147,6 +148,7 @@ done %prefix/selinux/cfengine-enterprise.pp %prefix/selinux/cfengine-enterprise.te %prefix/selinux/cfengine-enterprise.fc +%prefix/selinux/label-binaries-unconfined.sh %endif # Globally installed configs, scripts diff --git a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in index 0a95de657..859e0358e 100644 --- a/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in +++ b/packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in @@ -25,12 +25,14 @@ Recommends: gzip Requires(pre): /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent Requires(post): /usr/sbin/usermod, /bin/sed -# we require selinux-policy package version that matches or exceeds our build system version -# this guarantees that our compiled selinux policy will work. +# We add a recommends for the selinux-policy package version that matches or exceeds our build system version. +# This increases the likelihood that our compiled selinux policy will work. +# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version. %if %{?rhel}%{!?rhel:0} >= 8 -Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ +Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif + # we don't bundle OpenSSL on RHEL 8 (and newer in the future) %if %{?rhel}%{!?rhel:0} == 8 Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit) @@ -413,6 +415,7 @@ exit 0 %prefix/selinux/cfengine-enterprise.pp %prefix/selinux/cfengine-enterprise.te %prefix/selinux/cfengine-enterprise.fc +%prefix/selinux/label-binaries-unconfined.sh %endif # Documentation diff --git a/packaging/cfengine-nova/cfengine-nova.spec.in b/packaging/cfengine-nova/cfengine-nova.spec.in index afe2d65f4..549dd0e50 100644 --- a/packaging/cfengine-nova/cfengine-nova.spec.in +++ b/packaging/cfengine-nova/cfengine-nova.spec.in @@ -17,10 +17,11 @@ Requires: coreutils Recommends: gzip %endif -# we require selinux-policy package version that matches or exceeds our build system version -# this guarantees that our compiled selinux policy will work. +# We add a recommends for the selinux-policy package version that matches or exceeds our build system version. +# This increases the likelihood that our compiled selinux policy will work. +# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version. %if %{?rhel}%{!?rhel:0} >= 8 -Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@ +Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@ %endif # We don't bundle OpenSSL on RHEL >= 8 and SuSE >= 15 @@ -173,6 +174,7 @@ exit 0 %prefix/selinux/cfengine-enterprise.pp %prefix/selinux/cfengine-enterprise.te %prefix/selinux/cfengine-enterprise.fc +%prefix/selinux/label-binaries-unconfined.sh %endif # Globally installed configs, scripts diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh index 6660d23c3..dcddc906d 100644 --- a/packaging/common/cfengine-hub/postinstall.sh +++ b/packaging/common/cfengine-hub/postinstall.sh @@ -11,17 +11,15 @@ then test -x /usr/sbin/restorecon || cf_console echo "warning! selinuxenabled exists and returns 0 but restorecon not found" fi if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then - cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \ -consider installing selinux-policy-devel package and \ -rebuilding policy with: \ -\ -cd $PREFIX/selinux \ -make -f /usr/share/selinux/devel/Makefile -j1 \ -semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \ -\ -and then restarting services with \ -\ -systemctl restart cfengine3" + cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \ +The semodule import failure should be examined in /var/log/CFE*log and reported so that properly confined CFEngine can be setup." + if ! command -v semodule; then + cf_console echo "warning! semodule import failed and semodule command is not available. Please install the package policycoreutils and run $PREFIX/selinux/label-binaries-unconfined.sh manually immediately after install and restart services with systemctl restart cfengine3." + else + if ! "$PREFIX"/selinux/label-binaries-unconfined.sh "$PREFIX"; then + cf_console echo "warning! fallback to label all binaries unconfined has failed. CFEngine may not properly operate with selinux set to enforcing." + fi + fi fi if /usr/sbin/selinuxenabled; then /usr/sbin/load_policy diff --git a/packaging/common/cfengine-non-hub/postinstall.sh b/packaging/common/cfengine-non-hub/postinstall.sh index 6280ab553..41ca8ff82 100644 --- a/packaging/common/cfengine-non-hub/postinstall.sh +++ b/packaging/common/cfengine-non-hub/postinstall.sh @@ -127,17 +127,15 @@ then fi if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then - cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \ -consider installing selinux-policy-devel package and \ -rebuilding policy with: \ -\ -cd $PREFIX/selinux \ -make -f /usr/share/selinux/devel/Makefile -j1 \ -semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \ -\ -and then restarting services with \ -\ -systemctl restart cfengine3" + cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \ +The semodule import failure should be examined in /var/log/CFE*log and reported so that properly confined CFEngine can be setup." + if ! command -v semodule; then + cf_console echo "warning! semodule import failed and semodule command is not available. Please install the package policycoreutils and run $PREFIX/selinux/label-binaries-unconfined.sh manually immediately after install and restart services with systemctl restart cfengine3." + else + if ! "$PREFIX"/selinux/label-binaries-unconfined.sh "$PREFIX"; then + cf_console echo "warning! fallback to label all binaries unconfined has failed. CFEngine may not properly operate with selinux set to enforcing." + fi + fi fi if /usr/sbin/selinuxenabled; then /usr/sbin/load_policy