[ERROR ] [configure] /Stage[main]/Foreman::Config::Apache/Selboolean

foreman-installer fails:
Choose an option from the menu… 60
2021-05-29 21:34:59 [NOTICE] [configure] Starting system configuration.
The total number of configuration tasks may increase during the run.
Observe logs or specify --verbose-log-level to see individual configuration tasks.
2021-05-29 21:35:05 [NOTICE] [configure] 100 out of 944 done.
2021-05-29 21:35:05 [NOTICE] [configure] 200 out of 944 done.
2021-05-29 21:35:05 [ERROR ] [configure] /Stage[main]/Foreman::Config::Apache/Selboolean[httpd_can_network_connect]: Could not evaluate: Execution of ‘/usr/sbin/getsebool httpd_can_network_connect’ returned 1: /usr/sbin/getsebool: SELinux is disabled
2021-05-29 21:35:05 [NOTICE] [configure] 300 out of 944 done.
2021-05-29 21:35:05 [NOTICE] [configure] 400 out of 946 done.
2021-05-29 21:35:05 [NOTICE] [configure] 500 out of 946 done.
2021-05-29 21:35:06 [NOTICE] [configure] 600 out of 948 done.
2021-05-29 21:35:06 [NOTICE] [configure] 700 out of 952 done.
2021-05-29 21:35:06 [NOTICE] [configure] 800 out of 952 done.
2021-05-29 21:35:06 [NOTICE] [configure] 900 out of 952 done.
2021-05-29 21:35:12 [NOTICE] [configure] System configuration has finished.

There were errors detected during install.

Expected outcome: installation succeeds

Foreman and Proxy versions: foreman-2.4.0-1.el8.noarch

Foreman and Proxy plugin versions:

Distribution and version: centos8

Other relevant data:

this is a systemd-nspawn container. These containers do not enable selinux because they do not run their own kernel, they share it from the host. So even if I enable it, it’s still disabled.
I need an option to override selinux but I cannot see it in the installer. Is there something I can use, or is this impossible and I need to start a full vm?

It’s not supported: Installing Foreman 2.4 server on Enterprise Linux

SELinux must be enabled, either in enforcing or permissive mode. Installation with disabled SELinux is not supported.

ah, ok. I installed it in a centos 7 nspawn container and it works fine, so this will be the fix I needed.

Normally this should work. It looks like the SELinux fact is reporting that SELinux is enabled, but not really. I’m not sure if you can override the fact. Back in the day you could use export FACTER_selinux=false but I’m not sure how that’s done now with structured facts.

Can you check the output of facter os.selinux?

I need to recreate a nspawn container with centos 8 and reinstall tfm, I’ll do it and post my findings?

this is the requested output:

facter os.selinux

config_mode => “enforcing”,
config_policy => “targeted”,
current_mode => “enforcing”,
enabled => true,
enforced => true,
policy_version => “33”

I tried the envvar FACTER_selinux=false but same error during foreman-installer

Yes, so the problem is that facter thinks it’s in enforcing mode but it really isn’t. Reading facter/selinux.rb at main · puppetlabs/facter · GitHub it looks like it reads some selinuxfs as reported in /proc/self/mounts.

Generally speaking Foreman can run without SELinux or in disabled mode, but we can’t really deal with this. SELinux appears to be enforcing, but the installer can’t change some booleans that must be on. It may be a workaround to enable those manually in the “host”.

Another might be to unmount the SELinux filesystem in the nspawn container, but I don’t know nspawn well enough to say for sure.