Fixed how rpm packages install selinux policy

packaging/cfengine-community/cfengine-community.spec.in

@@ -17,10 +17,11 @@ Requires: coreutils
 Recommends: gzip
 %endif
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
 AutoReqProv: no
@@ -147,6 +148,7 @@ done
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts

packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in

@@ -25,12 +25,14 @@ Recommends: gzip
 Requires(pre): /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
 Requires(post): /usr/sbin/usermod, /bin/sed
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
+
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
 %if %{?rhel}%{!?rhel:0} == 8
 Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
@@ -413,6 +415,7 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Documentation

packaging/cfengine-nova/cfengine-nova.spec.in

@@ -17,10 +17,11 @@ Requires: coreutils
 Recommends: gzip
 %endif
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
@@ -173,6 +174,7 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts

packaging/common/cfengine-hub/postinstall.sh

@@ -11,17 +11,11 @@ then
     test -x /usr/sbin/restorecon   || cf_console echo "warning! selinuxenabled exists and returns 0 but restorecon not found"
   fi
   if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then
-    cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \
-consider installing selinux-policy-devel package and \
-rebuilding policy with: \
-\
-cd $PREFIX/selinux \
-make -f /usr/share/selinux/devel/Makefile -j1 \
-semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \
-\
-and then restarting services with  \
-\
-systemctl restart cfengine3"
+    cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \
+The semodule import failure should be examined in /var/log/CFE*log and reported so that properly confined CFEngine can be setup."
+    if ! "$PREFIX"/selinux/label-binaries-unconfined.sh "$PREFIX"; then
+      cf_console echo "warning! fallback to label all binaries unconfined has failed. CFEngine may not properly operate with selinux set to enforcing."
+    fi
   fi
   if /usr/sbin/selinuxenabled; then
     /usr/sbin/load_policy

packaging/common/cfengine-non-hub/postinstall.sh

@@ -127,17 +127,11 @@ then
 
   fi
   if ! cf_console semodule -n -i "$PREFIX/selinux/cfengine-enterprise.pp"; then
-    cf_console echo "warning! semodule import failed, examine /var/log/CFE*log and \
-consider installing selinux-policy-devel package and \
-rebuilding policy with: \
-\
-cd $PREFIX/selinux \
-make -f /usr/share/selinux/devel/Makefile -j1 \
-semodule -n -i $PREFIX/selinux/cfengine-enterprise.pp \
-\
-and then restarting services with  \
-\
-systemctl restart cfengine3"
+    cf_console echo "warning! semodule import failed, as a fallback all binaries in $PREFIX will be labeled bin_t aka unconfined. \
+The semodule import failure should be examined in /var/log/CFE*log and reported so that properly confined CFEngine can be setup."
+    if ! "$PREFIX"/selinux/label-binaries-unconfined.sh "$PREFIX"; then
+      cf_console echo "warning! fallback to label all binaries unconfined has failed. CFEngine may not properly operate with selinux set to enforcing."
+    fi
   fi
   if /usr/sbin/selinuxenabled; then
     /usr/sbin/load_policy