From 06d1a8058f839469946f77466c74d847ca31f6fc Mon Sep 17 00:00:00 2001
From: Craig Comstock <craig.comstock@northern.tech>
Date: Wed, 27 Sep 2023 15:15:57 -0500
Subject: [PATCH] Guarded against race condition in install scriptlets with
 restorecon

Try to run restorecon with the least number of processes/services running that might
make changes to /var/cfengine and /opt/cfengine

restorecon seems to gather a list of files up-front and then process which can take more
than a few seconds.

When services such as database or cf-execd/cf-agent/etc are running files can change
causing restorecon to error out when files are removed.

The files being removed doesn't create a risk of bad SELinux labels since they are gone.

Ticket: ENT-10429
Changelog: title
(cherry picked from commit ee768186c07e45b2d9e9917e00afda79764597b1)
---
 packaging/common/cfengine-hub/postinstall.sh    | 14 ++++++++------
 .../common/cfengine-non-hub/postinstall.sh      | 17 +++++++++++++----
 2 files changed, 21 insertions(+), 10 deletions(-)

diff --git a/packaging/common/cfengine-hub/postinstall.sh b/packaging/common/cfengine-hub/postinstall.sh
index e87b4bea5..80e938be0 100644
--- a/packaging/common/cfengine-hub/postinstall.sh
+++ b/packaging/common/cfengine-hub/postinstall.sh
@@ -1071,6 +1071,14 @@ if ! [ -f "$PREFIX/UPGRADED_FROM.txt" ] || egrep '3\.([0-6]\.|7\.0)' "$PREFIX/UP
   cf_console platform_service cfengine3 stop
 fi
 
+# Let's make sure all files and directories created above have correct SELinux
+# labels. We do this while the database is stopped on purpose, restorecon caches its list of
+# files up-front and the database often adds/removes files as it starts up, especially pg_internal.init
+# files inside /var/cfengine/state/pg/data/base/<oid> directories. ENT-10429
+if command -v restorecon >/dev/null; then
+  restorecon -iR /var/cfengine /opt/cfengine
+fi
+
 if is_upgrade && [ -f "$PREFIX/UPGRADED_FROM_STATE.txt" ]; then
     cf_console restore_cfengine_state "$PREFIX/UPGRADED_FROM_STATE.txt"
     rm -f "$PREFIX/UPGRADED_FROM_STATE.txt"
@@ -1080,10 +1088,4 @@ fi
 
 rm -f "$PREFIX/UPGRADED_FROM.txt"
 
-# Let's make sure all files and directories created above have correct SELinux
-# labels.
-if command -v restorecon >/dev/null; then
-  restorecon -iR /var/cfengine /opt/cfengine
-fi
-
 exit 0
diff --git a/packaging/common/cfengine-non-hub/postinstall.sh b/packaging/common/cfengine-non-hub/postinstall.sh
index eb00f2a54..c24839645 100644
--- a/packaging/common/cfengine-non-hub/postinstall.sh
+++ b/packaging/common/cfengine-non-hub/postinstall.sh
@@ -142,6 +142,7 @@ systemctl restart cfengine3"
   fi
 fi
 
+restorecon_run=0
 if [ -f $PREFIX/policy_server.dat ]; then
   if ! [ -f "$PREFIX/UPGRADED_FROM.txt" ] || egrep '3\.([0-6]\.|7\.0)' "$PREFIX/UPGRADED_FROM.txt" > /dev/null; then
     # Versions <= 3.7.0 are unreliable in their daemon killing. Kill them one
@@ -149,6 +150,13 @@ if [ -f $PREFIX/policy_server.dat ]; then
     cf_console platform_service cfengine3 stop
   fi
 
+  # Let's make sure all files and directories created above have correct SELinux labels.
+  # run this BEFORE we start services again to avoid race conditions in restorecon
+  if command -v restorecon >/dev/null; then
+    restorecon -iR /var/cfengine /opt/cfengine
+    restorecon_run=1
+  fi
+
   if is_upgrade && [ -f "$PREFIX/UPGRADED_FROM_STATE.txt" ]; then
       cf_console restore_cfengine_state "$PREFIX/UPGRADED_FROM_STATE.txt"
       rm -f "$PREFIX/UPGRADED_FROM_STATE.txt"
@@ -159,10 +167,11 @@ fi
 
 rm -f "$PREFIX/UPGRADED_FROM.txt"
 
-# Let's make sure all files and directories created above have correct SELinux
-# labels.
-if command -v restorecon >/dev/null; then
-  restorecon -iR /var/cfengine /opt/cfengine
+if [ $restorecon_run = 0 ]; then
+  # if we didn't run restorecon above in the already bootstrapped/upgrade case then run it now
+  if command -v restorecon >/dev/null; then
+    restorecon -iR /var/cfengine /opt/cfengine
+  fi
 fi
 
 exit 0