People who are attempting to use the RHEL8 Puppet packages on Fedora will also be burned by this, as every version of Fedora I have examined (including Rawhide) ships a libselinux package that was built with export DISABLE_RPM="y". (And yes, I know Puppet doesn't officially support running RHEL packages on Fedora. But I experiment with running puppetserver on Fedora, and Puppet doesn't build the puppetserver packages for the official Fedora repositories. Furthermore, because Fedora moves so rapidly, it's generally the case that by the time official Puppet packages appear for Fedora [n] are available, I've already migrated to Fedora [n+1]. For these reasons, I eschew Puppet's official Fedora repositories, and instead use the latest RHEL repository on my Fedora systems.) That notwithstanding, it is unusual for Red Hat to roll out a change for RHEL that hasn't hit Fedora already, as Fedora is essentially RHEL next. It's also somewhat unusual (but not without precedent) for Red Hat to break backwards shared library compatibility with RHEL minor point releases. As such, I think there is a possibility that this change wasn't intentional—that it was an oversight in the libselinux 2.8 → 2.9 rebase between RHEL 8.0 and RHEL 8.1 We are a RHEL shop and have a Red Hat support contract. I filed the following support case with Red Hat, gently questioning this change:
why is libselinux now built with 'export DISABLE_RPM="n"'?
What problem/issue/behavior are you having trouble with? What do you expect to see?
Starting with libselinux-2.9-2.1.el8, the %build section of libselinux.spec file now contains:
This is a change from the previous (RHEL 8.0) version of libselinux, libselinux-2.8-6.el8, which contained:
This change means that the libselinux-2.9-2.1.el8 libselinux.so shared library has a symbol, rpm_execcon, that the libselinux-2.8-6.el8 libselinux.so shared library does not. This change means that any executable linked against the libselinux-2.9-2.1.el8 libselinux.so will die at runtime if executed on a system that has not yet updated from libselinux-2.8-6.el8.
This change also breaks cross-distro compatibility. Every Fedora version of libselinux that I have examined, including libselinux-3.0-1.fc32 from Rawhide, builds libselinux with:
While it is usually the case that an executable compiled on RHEL can be run on Fedora (as long as the necessary compat-* library packages are installed), that is not the case with this change, as no version of Fedora has a libselinux.so shared library that has the rpm_execcon symbol.
Furthermore, this change can break third-party vendors who are attempting to ship packages for RHEL8. Here is one instance:
https://tickets.puppetlabs.com/browse/PUP-10161
Finally, I can find no explanation for this change. There were no (public) Bugzilla tickets requesting it that I can find. And it was implemented without comment during the libselinux 2.8 → 2.9 rebase for RHEL 8.1:
https://git.centos.org/rpms/libselinux/c/29ef3f732b5b513cd8e11a5f02f5498837565688?branch=c8#_11
I am beginning to wonder if this change was in fact unintentional—that flipping DISABLE_RPM from "y" to "n" was an oversight of the libselinux 2.8 → 2.9 rebase for RHEL 8.1, and that Red Hat did not actually intend for programs linked against the RHEL 8.1 libselinux.so to break on RHEL 8.0 systems.
Was this change intentional?
If so, can you reveal the reasons for the change?
If not, is there any realistic possibility of reverting the change? (My guess is no, because if the RHEL 8.2 libselinux.so reverts to export DISABLE_RPM="y", then anything linked against the RHEL 8.1 libselinux.so will fail at runtime for RHEL 8.2 in the exact same way it fails at runtime for RHEL 8.0.)
What information can you provide around timeframes and the business impact?
Vendors and other developers who link against libselinux.so must compile on RHEL 8.0, not RHEL 8.1. This is inconvenient, but not a showstopper.
But even if this change wasn't intentional, as per above, I don't see how Red Hat would be able to revert it for RHEL 8.2 without breaking break forward shared library compatibility with RHEL 8.1. This is something Red Hat cannot do. As such, I think the only way to safely build Puppet packages for RHEL8 that will work correctly on any version of RHEL8 (not to mention on other distros, such as Fedora) is to build using libselinux-devel-2.8 from RHEL 8.0. You're stuck with that for the lifetime of RHEL8, alas. |