Bug 8603 - tl-setup can't install required SELinux package on SLES 16
Summary: tl-setup can't install required SELinux package on SLES 16
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Server OS (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.19.0
Assignee: Samuel Mannehed
URL:
Keywords: prosaic, tobfa_tester
Depends on:
Blocks:
 
Reported: 2025-06-10 16:19 CEST by Samuel Mannehed
Modified: 2025-06-12 14:26 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:
MUST: * tl-setup must be able to install SELinux policy development packages * tl-setup must be able to compile the ThinLinc SELinux module * The server services must be able to start and a ThinLinc session must be able to run after a successful run of tl-setup SHOULD: * No errors or warnings should be logged to tlsetup.log

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Samuel Mannehed cendio 2025-06-10 16:19:46 CEST 
On the SLES 16 beta, they have switched from Apparmor to SELinux by default:

https://www.suse.com/betaprogram/sles16-beta/

ThinLinc has a SELinux module which we need to compile as part of tl-setup. On the SUSE 16 beta tl-setup fails on this step. We require a package called selinux-policy-devel, but tl-setup assumes it is only needed on RHEL and Fedora. Thus, on SUSE the required package isn't installed.
Comment 1 Samuel Mannehed cendio 2025-06-10 16:20:28 CEST 
Manually installing "selinux-policy-devel" helps and lets tl-setup successfully install our SELinux module.
Comment 2 Samuel Mannehed cendio 2025-06-10 16:38:31 CEST 
When tl-setup failed to install the SELinux policy development files, it crashed. That crash is handled on bug 8604.
Comment 6 Samuel Mannehed cendio 2025-06-10 17:10:21 CEST 
It proved to be as simple as adding SLES as one of the possible platforms where we should install "selinux-policy-devel". I tested using the SLES 16 beta, and it works perfectly.

> MUST:
> 
> * tl-setup must be able to install SELinux policy development packages

Yep.

> * tl-setup must be able to compile the ThinLinc SELinux module

Yep.

> * The server services must be able to start and a ThinLinc session must be able to run after a successful run of tl-setup

Yep, given that the PAM-issue and X11 desktop issue mentioned in bug 8598 is resolved.

> SHOULD:
> 
> * No errors or warnings should be logged to tlsetup.log

Yep, aside from these lines, which are handled on bug 5238:

> 2025-06-10 16:51:15,171: Output (stderr):
> 2025-06-10 16:51:15,172:     thinlinc.te:154: Warning: mcs_killall() has been deprecated, please remove mcs_constrained() instead.
Comment 7 Tobias cendio 2025-06-12 14:26:00 CEST 
Tested installing server build #4099 on SLES16 beta.

The PAM and X11 desktop issues mentioned in bug 8598 could be resolved by copying

/usr/lib/pam.d/sshd --> /etc/pam.d/

and

/usr/share/wayland-sessions/gnome.desktop --> /usr/share/xsessions/

respectively.

> MUST:
> * tl-setup must be able to install SELinux policy development packages
✅ Installs without issues.
> * tl-setup must be able to compile the ThinLinc SELinux module
✅ Compiled without issues.
> * The server services must be able to start and a ThinLinc session must be able to run after a successful run of tl-setup
✅ Yes the services do start and sessions are able to start up. Note that a valid PAM conf had to be in place for the services to be startable during tl-setup. 
> SHOULD:
> * No errors or warnings should be logged to tlsetup.log
✅ No problems reported apart from a deprecation warning (bug 5238)

Closing.
Note You need to log in before you can comment on or make changes to this bug.