Added fallback selinux script to label binaries as unconfined in case the cfengine-enterprise module fails to install

In case the normal cfengine-enterprise policy module fails to install the scripts will run this new scripts to ensure that CFEngine can function even if SELinux is enforcing by labeling them as bin_t aka unconfined.

Ticket: ENT-12980
Changelog: title

Author: craigcomstock

.gitignore

@@ -190,4 +190,7 @@ __pycache__
 misc/selinux/cfengine-enterprise.pp
 misc/selinux/cfengine-enterprise.if
 misc/selinux/cfengine-enterprise.te
+misc/selinux/cfengine-enterprise-unconfined.pp
+misc/selinux/cfengine-enterprise-unconfined.if
+misc/selinux/cfengine-enterprise-unconfined.te
 misc/selinux/tmp

configure.ac

@@ -1666,7 +1666,7 @@ AC_ARG_WITH(selinux-policy,
             AS_HELP_STRING([--with-selinux-policy],
                            [Whether to build and install SELinux policy (default: no)]),
             [], [with_selinux_policy=no])
-AM_CONDITIONAL([WITH_SELINUX], [test "x$with_selinux_policy" != "xno"])
+AM_CONDITIONAL([WITH_SELINUX_POLICY], [test "x$with_selinux_policy" != "xno"])
 
 if test "x$with_selinux_policy" != "xno"; then
    platform_id=$(sed -r -e '/PLATFORM_ID/!d;s/PLATFORM_ID="platform:(@<:@^"@:>@+)"/\1/' < /etc/os-release)

misc/selinux/Makefile.am

@@ -1,14 +1,17 @@
-if WITH_SELINUX
+if WITH_SELINUX_POLICY
 cfengine-enterprise.te: cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES)
 	cat cfengine-enterprise.te.all $(PLATFORM_SELINUX_POLICIES) > cfengine-enterprise.te
 
-cfengine-enterprise.pp: cfengine-enterprise.te cfengine-enterprise.fc
+cfengine-enterprise.pp cfengine-enterprise-unconfined.pp: cfengine-enterprise.te cfengine-enterprise.fc cfengine-enterprise-unconfined.te cfengine-enterprise-unconfined.fc
 	$(MAKE) -f /usr/share/selinux/devel/Makefile -j1
 
 selinuxdir = $(prefix)/selinux
 selinux_DATA = cfengine-enterprise.pp
 selinux_DATA += cfengine-enterprise.te
 selinux_DATA += cfengine-enterprise.fc
+selinux_DATA += cfengine-enterprise-unconfined.pp
+selinux_DATA += cfengine-enterprise-unconfined.te
+selinux_DATA += cfengine-enterprise-unconfined.fc
 
 clean-local:
 	rm -rf tmp
@@ -18,5 +21,7 @@ endif
 # tarball even without running './configure --with-selinux-policy'
 DISTFILES  = Makefile.in Makefile.am cfengine-enterprise.fc cfengine-enterprise.te.all
 DISTFILES += cfengine-enterprise.te.el9
+DISTFILES += cfengine-enterprise-unconfined.te
+DISTFILES += cfengine-enterprise-unconfined.fc
 
-CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te
+CLEANFILES = cfengine-enterprise.pp cfengine-enterprise.if cfengine-enterprise.te cfengine-enterprise-unconfined.pp cfengine-enterprise-unconfined.if

misc/selinux/cfengine-enterprise-unconfined.fc

@@ -0,0 +1,4 @@
+/var/cfengine/bin/.* -- gen_context(system_u:object_r:cfengine_exec_t,s0)
+/var/cfengine/notification_scripts(/.*)? -- gen_context(system_u:object_r:cfengine_exec_t,s0)
+/var/cfengine/httpd/bin/.* -- gen_context(system_u:object_r:cfengine_exec_t,s0)
+/var/cfengine/httpd/php/bin/.* -- gen_context(system_u:object_r:cfengine_exec_t,s0)

misc/selinux/cfengine-enterprise-unconfined.te

@@ -0,0 +1,8 @@
+module cfengine-enterprise-unconfined 1.0;
+require {
+  all_kernel_class_perms # required for unconfined_domain()
+}
+type cfengine_t;
+type cfengine_exec_t;
+unconfined_domain(cfengine_t)
+domain_entry_file(cfengine_t, cfengine_exec_t)