make cockpit definition optional

[evgeni]

The problem is that the cockpit policy moved to the cockpit package in EL9, not in the main selinux policy anymore.
Thus, when installing on a system without cockpit (and its policy), you get ugly errors like:

Failed to resolve typeattributeset statement at /var/lib/selinux/targeted/tmp/modules/400/foreman/cil:66

And more importantly: the whole policy fails to load, leading to many issues at runtime.

To avoid this, we have to wrap the cockpit-related parts of the policy with optional_policy and introduce an own entrypoint that we can use in our file contexts, as there is no optional() for those.

[evgeni]

huh, this breaks fresh installs, wild:

error: lsetfilecon: (37 /usr/share/gems/gems/foreman_remote_execution-12.0.5/extra/cockpit/foreman-cockpit-session;65c4c92b, system_u:object_r:foreman_cockpit_session_exec_t:s0) Permission denied
error: Plugin selinux: hook fsm_file_prepare failed

[evgeni]

# restorecon -v /usr/share/gems/gems/foreman_remote_execution-12.0.5/extra/cockpit/foreman-cockpit-session
restorecon: Could not set context for /usr/share/gems/gems/foreman_remote_execution-12.0.5/extra/cockpit/foreman-cockpit-session:  Permission denied

# dnf install cockpit
…

# restorecon -v /usr/share/gems/gems/foreman_remote_execution-12.0.5/extra/cockpit/foreman-cockpit-session
Relabeled /usr/share/gems/gems/foreman_remote_execution-12.0.5/extra/cockpit/foreman-cockpit-session from unconfined_u:object_r:usr_t:s0 to unconfined_u:object_r:foreman_cockpit_session_exec_t:s0

🤯

[evgeni]

should be fixed by theforeman/foreman-packaging#10404

[evgeni]

I've moved the symlink-remove parts into #164 as they are independent from EL9.

[adamruzicka]

To my limited understanding, this should be fine