Minimum CentOS version requirement for 1.18 is 7.5

It looks like we need to bump our OS requirements. If I am not mistaken, we bumped OS version we build against to 7.5, therefore the SELinux policy which we ship as part of foreman-selinux in 1.18 is not compatible with older kernels/selinux stack. The symtoms are:

# foreman-selinux-enable
foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17

This also can be seen as:

libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
foreman: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
foreman: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
 (No such file or directory).
OSError: No such file or directory
ValueError: Type foreman_container_port_t is invalid, must be a port type

Which is non-critical error during RPM package installation, installation finishes just fine but then UI won’t show up because httpd_t is not allowed to connect to postgresql_t:

could not connect to server: Permission denied
    Is the server running on host "<HOST>" (<IP>) and accepting
    TCP/IP connections on port 5432?
  /opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `initialize'

Workaround: Update your system to latest and greatest CentOS, or at least all selinux packages and kernel. Restart the system. Then enable foreman policy via foreman-selinux-enable and restart all Foreman services (httpd basically).

Lesson learned: Everytime we bump buildroot on koji, we also need to update minimum OS requirements. I am gonna file a PR, maybe it will be better to formulate generic requirement to have the latest stable CentOS possible.

Full story: Support #24616: Passenger does not transition into passenger_t domain - SELinux - Foreman

AFAIK CentOS has no support for older point releases so IMHO we always required the latest CentOS point release. It would be nice if we could update a minimum version in the dependency so that yum install foreman-selinux will either work or complain up front about the issue. Perhaps we should simplify this:

to %define selinux_policy_ver 3.13.1-192

1 Like

Great idea @ekohl and I am gonna do the PR. If you don’t mind I’ve added this to the release notes as I spent quite amount of time troubleshooting this. This is an easy step we can do to prevent from happening.✓&version=210&version_from=209&commit=View+differences