Guarded against race condition in install scriptlets with restorecon

Try to run restorecon with the least number of processes/services running that might
make changes to /var/cfengine and /opt/cfengine

restorecon seems to gather a list of files up-front and then process which can take more
than a few seconds.

When services such as database or cf-execd/cf-agent/etc are running files can change
causing restorecon to error out when files are removed.

The files being removed doesn't create a risk of bad SELinux labels since they are gone.

Ticket: ENT-10429
Changelog: title
(cherry picked from commit ee76818)

packaging/common/cfengine-hub/postinstall.sh

@@ -1071,6 +1071,14 @@ if ! [ -f "$PREFIX/UPGRADED_FROM.txt" ] || egrep '3\.([0-6]\.|7\.0)' "$PREFIX/UP
   cf_console platform_service cfengine3 stop
 fi
 
+# Let's make sure all files and directories created above have correct SELinux
+# labels. We do this while the database is stopped on purpose, restorecon caches its list of
+# files up-front and the database often adds/removes files as it starts up, especially pg_internal.init
+# files inside /var/cfengine/state/pg/data/base/<oid> directories. ENT-10429
+if command -v restorecon >/dev/null; then
+  restorecon -iR /var/cfengine /opt/cfengine
+fi
+
 if is_upgrade && [ -f "$PREFIX/UPGRADED_FROM_STATE.txt" ]; then
     cf_console restore_cfengine_state "$PREFIX/UPGRADED_FROM_STATE.txt"
     rm -f "$PREFIX/UPGRADED_FROM_STATE.txt"
@@ -1080,10 +1088,4 @@ fi
 
 rm -f "$PREFIX/UPGRADED_FROM.txt"
 
-# Let's make sure all files and directories created above have correct SELinux
-# labels.
-if command -v restorecon >/dev/null; then
-  restorecon -iR /var/cfengine /opt/cfengine
-fi
-
 exit 0

packaging/common/cfengine-non-hub/postinstall.sh

@@ -142,13 +142,21 @@ systemctl restart cfengine3"
   fi
 fi
 
+restorecon_run=0
 if [ -f $PREFIX/policy_server.dat ]; then
   if ! [ -f "$PREFIX/UPGRADED_FROM.txt" ] || egrep '3\.([0-6]\.|7\.0)' "$PREFIX/UPGRADED_FROM.txt" > /dev/null; then
     # Versions <= 3.7.0 are unreliable in their daemon killing. Kill them one
     # more time now that we have upgraded.
     cf_console platform_service cfengine3 stop
   fi
 
+  # Let's make sure all files and directories created above have correct SELinux labels.
+  # run this BEFORE we start services again to avoid race conditions in restorecon
+  if command -v restorecon >/dev/null; then
+    restorecon -iR /var/cfengine /opt/cfengine
+    restorecon_run=1
+  fi
+
   if is_upgrade && [ -f "$PREFIX/UPGRADED_FROM_STATE.txt" ]; then
       cf_console restore_cfengine_state "$PREFIX/UPGRADED_FROM_STATE.txt"
       rm -f "$PREFIX/UPGRADED_FROM_STATE.txt"
@@ -159,10 +167,11 @@ fi
 
 rm -f "$PREFIX/UPGRADED_FROM.txt"
 
-# Let's make sure all files and directories created above have correct SELinux
-# labels.
-if command -v restorecon >/dev/null; then
-  restorecon -iR /var/cfengine /opt/cfengine
+if [ $restorecon_run = 0 ]; then
+  # if we didn't run restorecon above in the already bootstrapped/upgrade case then run it now
+  if command -v restorecon >/dev/null; then
+    restorecon -iR /var/cfengine /opt/cfengine
+  fi
 fi
 
 exit 0