CentOS8 - Ondemand-selinux install issues

Good Afternoon,

Our team is attempting a fresh install of Ondemand 1.8 on CentOS8. We are running into an issue when trying to install the ondemand-selinux RPM.

yum install ondemand-selinux
Last metadata expiration check: 1:38:58 ago on Wed 20 Jan 2021 01:57:40 PM EST.
Error:
 Problem: cannot install the best candidate for the job
  - nothing provides policycoreutils-python needed by ondemand-selinux-1.8.18-1.el8.x86_64
(try to add '--skip-broken' to skip uninstallable packages or '--nobest' to use not only best candidate packages)

A few resources point towards this package being changed to policycoreutils-python-utils on CentOS8. policycoreutils-python-utils-2.9-9.el8.noarch.rpm CentOS 8 Download

Any feedback/work-around here would be greatly appreciated.

Best regards,

Juan

Thanks! It was renamed in el8, I can confirm in a centos:8 container. @tdockendorf FYI. We need to release a 1.8 update anyhow, so this will have to be included in it.

Jeff,

Thanks for the quick response here. In the meantime - is there any workaround you can think of for us to move forward?

Best,

Juan

Seems like you could try to --skip-broken and install policycoreutils-python-utils. That may seem like the best bet.

The other route is to make a new ondemand-selinux package from ours, calling it maybe psc-ondemand-selinux (so we don’t have conflicts) and adding the right package. It’s not impossible, but probably going to cause conflicts and head-aches down the road, so I wouldn’t recommend it.

With the former approach you’re saying “install this thing, yes I know it has a bad dependency but I’m quite sure I have actually met the dependencies by installing the right package”. So it should work, just install python utils first.

Though @tdockendorf may have a better solution for you.

This issue is simple to fix: (release 1.8) Fix SELinux package dependencies by treydock · Pull Request #853 · OSC/ondemand · GitHub. We only need semanage from that dependency and we already required that via path dependency so no need to require policycoreutils-python by name or the new package.

The approach of --skip-broken will skip ondemand-selinux since it’s seen as broken.

If you do want to build your own package clone this repo: GitHub - OSC/ondemand-packaging: Used to build RPMs for OnDemand and OSC-specific BatchConnect applications and checkout 1.8 branch. Then you need to build the source tarball for ondemand repo by checking out main ondemand repo release_1.8 branch and doing this:

rake package VERSION=v1.8.18-2

This will produce the tar ball in packaging directory, then you build the RPM:

/path/to/ondemand-packaging/build.sh -w /tmp/work -o /tmp/output -d el8 -S -V v1.8.18-2 $(pwd)/packaging

The resulting RPMs will be in /tmp/output/el8 and will NOT be GPG signed. You could then use that produced ondemand-selinux and it will get upgraded when we release next 1.8 release. The build process only needs Docker so you can build on anything that understands bash and docker.

Good Morning,

Had to make a few modifications to get that install to work appropriately. The following is a list of the changes that were made (so that you may review and potentially make modifications in a future release):

  • ondemand/packaging/ondemand.spec - Removed the >= %{selinux_policy_ver}. This was causing issues during the install.
  • ondemand-packaging/build/Rakefile - Had to comment out line 132 as the packager was throwing errors here.

Thank you again for all of the help! Looking forward to being able to do a fresh install with the latest release once these changes are merged.

Best regards,

Juan

The issue with GPG signing for ondemand-packaging is a bug when GPG signing is disabled. Fixed with these pull requests:

The issue with ondemand.spec I can not reproduce. I just built a 1.8.18-2 RPM and when I go to install ondemand-selinux into CentOS 8 docker it pulls in the dependency for selinux-policy with version 3.14.3-54.el8. My RPM shows it depends on a version that is available:

[root@154ba8d7e1c6 /]# rpm -q --requires /output/el8/ondemand-selinux-1.8.18-2.el8.x86_64.rpm | grep selinux-policy
selinux-policy >= 3.14.3-54.el8
selinux-policy-targeted

My guess for your issue is maybe you are using local copies of CentOS or RHEL repos where your available version of selinux-policy is older than what was used to build the RPM inside the Docker container.

That makes sense. Thanks again!