RHEL8, CFEngine, SELinux

[t.d...@servicemusic.org.uk]

Systems:  RHEL; SELinux/enforcing; cfengine-community 3.12

We have a stable, long-established set-up, which is now mostly RHEL7; a few thousand machines and VMs.  Our CFE is 3.12.  We happily run SELinux/enforcing.

I'm preparing our RHEL8 pathway.  But this is throwing many SELinux errors.  This is unexpected, as I would have thought (imagined, presumed, etc.) that the CFE RPM would already include the relevant SELinux info.  (I'm guessing that RHEL8 is interposing more checks. But on the other hand, because CFE-3.12 knows about RHEL8, I would have thought that this would be already 'in the mix'.)

While I've been able to prepare some CFEngine/SELinux '.pp' files, this doesn't feel the right way to go.

Am I missing something?

We are not yet in a position to go higher than 3.12; nor are we yet using MPF.  Both of those are on our team's roadmap, but currently independent from RHEL8.  If you believe that these will basically fix the issues, then it would be very useful to know, as that will encourage us to restructure our roadmap to include this dependency chain.

Thanks.

-- David Lee

-- Diamond Light Source, UK

[Nick Anderson]

Hi David,

Red Hat 8 is not listed as a supported platform for 3.12.

https://docs.cfengine.com/docs/3.12/guide-latest-release-supported-platforms.html

Also, as I am sure you are already aware, 3.12.7 will be released this summer, it is expected to be the final release of the 3.12 series as support is scheduled to end June 28th 2021

CFEngine started supporting RedHat 8 after it reached 8.1 on the 3.15 series. If I recall correctly, this had to do with RedHat making multiple breaking changes related to SELINUX that we didn't want to subject our users to, so we waited until after RedHat 8.1.

https://docs.cfengine.com/docs/3.15/guide-latest-release-supported-platforms.html

[t.d...@servicemusic.org.uk]

Nick,

That's really useful.  Thanks.

Our 3.12 is actually very new to us!  We had been on 3.10 until about six weeks ago.   Our "toe in the water" with 3.12 was because it at least recognised RHEL8, in that it (unlike 3.10) sets "redhat_8".  From that "3.12 toe in the water" we now have 3.12 deployed almost everywhere.  (For the purposes of this discussion, "everywhere" can be assumed.)  Much earlier, I had actually tried 3.15 for RHEL8, but that was a stretch too far for handling our current old policy, which far pre-dates MPF.

At heart, I'm juggling three things, trying to pull us more up to date, little by little (as attempted big jumps end unceremoniously mid-river):

• CFE binaries: we had been starting from 3.10 (we're now 3.12);
  
• local policy: long pre-dates even 3.10; I am currently well advanced towards MPF (3.12) although it is not yet deployed in production;
  
• RHEL: beginning to introduce beta-stage RHEL8 (we are currently mostly RHEL7, but still have some residual RHEL6).
  

Your email is a great help.  Given that we are now, unlike before, at 3.12 binaries, it prompts me to consider a re-exploration of 3.15/RHEL8 with our current (still ancient, non-MPF) policy and to see whether those earlier problems have now reduced from mountains to molehills (or could be easily reduced to such).  It gives me a possible direction of travel.  Thanks!

-- David Lee