It looks like we need to bump our OS requirements. If I am not mistaken, we bumped OS version we build against to 7.5, therefore the SELinux policy which we ship as part of foreman-selinux in 1.18 is not compatible with older kernels/selinux stack. The symtoms are:
# foreman-selinux-enable
foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
This also can be seen as:
libsemanage.semanage_pipe_data: Child process /usr/libexec/selinux/hll/pp failed with code: 255. (No such file or directory).
foreman: libsepol.policydb_read: policydb module version 19 does not match my version range 4-17
foreman: libsepol.sepol_module_package_read: invalid module in module package (at section 0)
foreman: Failed to read policy package
libsemanage.semanage_direct_commit: Failed to compile hll files into cil files.
(No such file or directory).
OSError: No such file or directory
ValueError: Type foreman_container_port_t is invalid, must be a port type
Which is non-critical error during RPM package installation, installation finishes just fine but then UI won’t show up because httpd_t is not allowed to connect to postgresql_t:
could not connect to server: Permission denied
Is the server running on host "<HOST>" (<IP>) and accepting
TCP/IP connections on port 5432?
(PG::ConnectionBad)
/opt/theforeman/tfm/root/usr/share/gems/gems/pg-0.21.0/lib/pg.rb:59:in `initialize'
...
Workaround: Update your system to latest and greatest CentOS, or at least all selinux packages and kernel. Restart the system. Then enable foreman policy via foreman-selinux-enable and restart all Foreman services (httpd basically).
Lesson learned: Everytime we bump buildroot on koji, we also need to update minimum OS requirements. I am gonna file a PR, maybe it will be better to formulate generic requirement to have the latest stable CentOS possible.
Full story: Support #24616: Passenger does not transition into passenger_t domain - SELinux - Foreman