Adjusted RPM packaging to be avoid failed installs when selinux-policy version is not sufficient

As a workaround, if the cfengine-enterprise selinux module fails to install we set binaries to unconfined domain with bin_t type.

Ticket: ENT-12980
Changelog: title

We have found that this requirement cannot be met in the field so we are investigating other ways to ensure the latest SELinux policy can be put in place during install.

Ticket: ENT-12980
Changelog: title

Author: craigcomstock

packaging/cfengine-community/cfengine-community.spec.in

@@ -17,10 +17,11 @@ Requires: coreutils
 Recommends: gzip
 %endif
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
 AutoReqProv: no
@@ -147,6 +148,7 @@ done
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts

packaging/cfengine-nova-hub/cfengine-nova-hub.spec.in

@@ -25,12 +25,14 @@ Recommends: gzip
 Requires(pre): /usr/sbin/useradd, /usr/sbin/userdel, /usr/bin/getent
 Requires(post): /usr/sbin/usermod, /bin/sed
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
+
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
 %if %{?rhel}%{!?rhel:0} == 8
 Requires: libssl.so.1.1()(64bit) libssl.so.1.1(OPENSSL_1_1_0)(64bit) libssl.so.1.1(OPENSSL_1_1_1)(64bit)
@@ -413,6 +415,7 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Documentation

packaging/cfengine-nova/cfengine-nova.spec.in

@@ -17,10 +17,11 @@ Requires: coreutils
 Recommends: gzip
 %endif
 
-# we require selinux-policy package version that matches or exceeds our build system version
-# this guarantees that our compiled selinux policy will work.
+# We add a recommends for the selinux-policy package version that matches or exceeds our build system version.
+# This increases the likelihood that our compiled selinux policy will work.
+# By making this a weak dependency we allow the package to install on systems with an older selinux-policy version.
 %if %{?rhel}%{!?rhel:0} >= 8
-Requires: selinux-policy >= @@SELINUX_POLICY_VERSION@@
+Recommends: selinux-policy >= @@SELINUX_POLICY_VERSION@@
 %endif
 
 # we don't bundle OpenSSL on RHEL 8 (and newer in the future)
@@ -173,6 +174,7 @@ exit 0
 %prefix/selinux/cfengine-enterprise.pp
 %prefix/selinux/cfengine-enterprise.te
 %prefix/selinux/cfengine-enterprise.fc
+%prefix/selinux/label-binaries-unconfined.sh
 %endif
 
 # Globally installed configs, scripts