Problem:
Try to update TheForeman / Katello from 3.17.1 to 3.18.1. When I run dnf upgrade then I get the errors:
nothing provides selinux-policy >= 38.1.70 needed by candlepin-selinux-4.7.5-1.el9.noarch from candlepin
nothing provides selinux-policy-base >= 38.1.70 needed by candlepin-selinux-4.7.5-1.el9.noarch from candlepin
I run dnf upgrade with the flags --refresh --nobest and it works - but this is not nice :-). The version of seliunx for Rocky Linux 9.7 (current version) is 38.1.65. As I see even the current version of Red Hat (9.8) provides only 38.1.65 (see Other relevant data).
For RHEL 9 and AlmaLinux I see already 38.1.75 and CentOS Stream 9 provides 38.1.80. If I remember correctly packages are built on RHEL and tested against AlmaLinux.
So I would say the problem is Rocky is lacking behind and advise to open an issue there.
Thank you. The foreman-installer runs with no issues, Candelpin is working, so I wait until Rocky 9.8 will be released to fix that problem. As I see Rocky is always a few weeks behind Red Hat Linux, 9.8 is currently in the building phase. I expected 9.8 next month.
What @Dirk said is correct: we use copr with RHEL buildroots. In our packaging we declare that foreman-selinux needs at least the version that it was built with:
AFAIK this is the best practice when dealing with SELinux, but we can’t control the buildroot to use older versions of selinux-policy and that has a nasty side effect around RHEL releases.
@releases perhaps this is something that could be included in the release notes and/or release announcement as a known issue?
Unfortunately there’s not much that we can do for selinux, in the past we suffered from building on old policies before the Centos Stream Project release, everything would break from developing to stable branches when a new version of RHEL was released. Moving to RHEL buildroots on copr allowed us to not have this amazing situation. Unfortunately users on EL rebuilds need to wait for the reconcile on their rebuild, this affected our ability to also test on top of Alma this week, we had to disable it and use only Centos Stream until all bits from 9.8 gets published.
I know the reasons. What I was suggesting was to include a note in release announcements (like Foreman 3.18.1 is now available) when we know this is the case. That prevents unpleasant surprises for users and posts like these.
Regarding the SELinux policy version mismatch — the %{?selinux_requires} macro in candlepin.spec.tmpl picks up the selinux-policy version from the buildroot at build time. As long as we build against RHEL buildroots in Copr, this will reflect RHEL’s version, which EL rebuilds may lag behind on. Not much can be done on the rel-eng side without changing how candlepin is built.
On the announcement side — I’ve added a release announcement step to the candlepin release procedure in theforeman-rel-eng#582 (specifically 498b331). This extends the release_announcement script to support candlepin, so future releases will have a proper announcement posted to Discourse. Known issues like this could be mentioned there going forward.
situation. Unfortunately users on EL rebuilds need to wait for the reconcile on their rebuild, this affected our ability to also test on top of Alma this week, we had to disable it and use only Centos Stream until all bits from 9.8 gets published.