| We had quite a long discussion both on IRC and slack where we think we understand what's gone wrong. I'll try to capture the relevant bits in this ticket. It would appear that the selinux ruby bindings have been compiled against libselinux from RHEL 8.1.
libselinux is compiled with
whereas in 8.0 is was compiled with
See https://git.centos.org/rpms/libselinux/c/29ef3f732b5b513cd8e11a5f02f5498837565688?branch=c8#_11 Trevor Vaughan notes on slack
you always have to build the SELinux materials against the oldest version of EL available
Enhancements to SELinux policies are backwards compatible but later versions may/will break things
and backs this up with evidence this was also an issue in EL7.
https://github.com/simp/simp-core/blob/master/spec/acceptance/suites/rpm_docker/nodesets/el7.yml#L8 Jarkko Oranen Originally reported this against the puppet/selinux module as this does an explicit `require selinux` and explodes.
But actually all of selinux support is broken in Centos 8 (where 8.1 isn't out yet) with the puppet agent 6.11.1 package.
This simple test case doesn't work.
puppet apply -e 'file {"/opt/testfile": ensure => "present", seltype => "default_t" }'
|
and produces the following debug
Debug: /Stage[main]/Main/File[/opt/testfile]/seltype: SELinux bindings not found. Ignoring parameter.
|
We think that when core puppet checks for the existence of selinux it must be handling/hiding the load-error and treating it the same way as if the library didn't exist at all. |
