Replace SELinux community module with LSR #303

tomasfratrik · 2025-12-01T21:16:13Z

For now this is just a draft, Im not sure if we want PR for each module, or all modules in 1 PR.

Part of:
Jira: RHEL-120542

richm · 2025-12-02T01:29:20Z

.ansible-lint

  - community.general.yum_versionlock
  - community.general.rhsm_repository
-  - ansible.posix.selinux
+  - redhat.rhel_system_roles.selinux


Suggested change

- redhat.rhel_system_roles.selinux

We cannot use the module. We must use the role.

For selinux yes, we should use the role to ensure that selinux is properly configured. I guess it makes sense to use fedora.linux_system_roles.selinux role in the upstream. We will change this in RPM spec for downstream.

How about ansible.posix.mount? Downstream, is it a good idea to use redhat.rhel_system_roles.mount to avoid re-vendoring it?

For selinux yes, we should use the role to ensure that selinux is properly configured. I guess it makes sense to use fedora.linux_system_roles.selinux role in the upstream. We will change this in RPM spec for downstream.

How about ansible.posix.mount? Downstream, is it a good idea to use redhat.rhel_system_roles.mount to avoid re-vendoring it?

That one will be problematic. Yes, there is a fedora.linux_system_roles.mount module used internally by a couple of roles - but this is only meant to be used internally by the role, not by code outside of the role. We do not want to support using modules, even if it is for "friendly" external code.

Maybe there is a way we can use the storage role, not sure.

roles/upgrade/tasks/leapp-post-upgrade-selinux.yml

richm · 2025-12-08T15:47:53Z

lgtm - you will need a changelog fragment

Part of: Jira: RHEL-120542

tomasfratrik · 2025-12-08T16:03:08Z

lgtm - you will need a changelog fragment

Added, but I am not sure about conventions here

richm · 2025-12-08T16:28:26Z

[citest]

spetrosi · 2025-12-09T07:34:38Z

roles/upgrade/tasks/leapp-post-upgrade-selinux.yml

    reboot_timeout: "{{ reboot_timeout }}"
    post_reboot_delay: "{{ post_reboot_delay }}"
  timeout: "{{ reboot_timeout }}"
  when: selinux_results.reboot_required


Does selinux role return a reboot_required variable? That might not be applicable to the role.

yes you are right, according the documentation it should be selinux_reboot_required

spetrosi · 2025-12-09T07:35:51Z

roles/upgrade/tasks/leapp-post-upgrade-selinux.yml

+    selinux_state: "{{ selinux_mode }}"
  check_mode: true
  register: selinux_check_results
  failed_when: selinux_check_results.changed


include_role might not return changed variable

Correct. It does not return changed

in fact - you cannot use check_mode, register, or failed_when with include_role

richm · 2025-12-09T13:57:41Z

roles/upgrade/tasks/leapp-post-upgrade-selinux.yml

+  vars:
+    selinux_policy: targeted
+    selinux_state: "{{ selinux_mode }}"
  register: selinux_results


register does not work with include_role

yes I have now realised that now its for include_role

richm · 2025-12-09T14:48:21Z

This example explains how to use the selinux role when there is the possibility that the system needs to be rebooted to apply the changes: https://github.com/linux-system-roles/selinux/blob/main/examples/selinux-playbook.yml

define the selinux policy you need in a vars
run the role in a block with a rescue
in the rescue section, check if the role failed for a reason other than reboot required and fail if reboot not required
do the reboot if reboot required
wait for the connection
run the role again to ensure the settings are applied

richm reviewed Dec 2, 2025

View reviewed changes