refactor: improve support for ostree systems

.ansible-lint

@@ -23,6 +23,5 @@ exclude_paths:
 mock_modules:
   - sefcontext
   - selogin
-  - ansible.utils.update_fact
 mock_roles:
   - linux-system-roles.selinux

.ostree/get_ostree_data.sh

@@ -2,7 +2,6 @@
 
 set -euo pipefail
 
-role_collection_dir="${ROLE_COLLECTION_DIR:-fedora/linux_system_roles}"
 ostree_dir="${OSTREE_DIR:-"$(dirname "$(realpath "$0")")"}"
 
 if [ -z "${4:-}" ] || [ "${1:-}" = help ] || [ "${1:-}" = -h ]; then
@@ -29,24 +28,40 @@ if [ "$pkgtype" = testing ]; then
 fi
 
 get_rolepath() {
-    local ostree_dir role rolesdir
+    local ostree_dir role rolesdir roles_parent_dir coll_path pth
     ostree_dir="$1"
     role="$2"
-    rolesdir="$(dirname "$(dirname "$ostree_dir")")/$role/.ostree"
+    roles_parent_dir="$(dirname "$(dirname "$ostree_dir")")"
+    rolesdir="$roles_parent_dir/$role/.ostree"
+    # assumes collection format
     if [ -d "$rolesdir" ]; then
         echo "$rolesdir"
         return 0
     fi
-    if [ -n "${ANSIBLE_COLLECTIONS_PATHS:-}" ]; then
-        for pth in ${ANSIBLE_COLLECTIONS_PATHS//:/ }; do
-            rolesdir="$pth/ansible_collections/$role_collection_dir/roles/$role/.ostree"
-            if [ -d "$rolesdir" ]; then
-                echo "$rolesdir"
-                return 0
-            fi
+    # assumes legacy role format like linux-system-roles.$role/
+    for rolesdir in "$roles_parent_dir"/*-system-roles."$role"/.ostree; do
+        if [ -d "$rolesdir" ]; then
+          echo "$rolesdir"
+          return 0
+        fi
+    done
+    # look elsewhere
+    coll_path="${ANSIBLE_COLLECTIONS_PATH:-}"
+    if [ -z "$coll_path" ]; then
+        coll_path="${ANSIBLE_COLLECTIONS_PATHS:-}"
+    fi
+    if [ -n "${coll_path}" ]; then
+        for pth in ${coll_path//:/ }; do
+            for rolesdir in "$pth"/ansible_collections/*/*_system_roles/roles/"$role"/.ostree; do
+                if [ -d "$rolesdir" ]; then
+                    echo "$rolesdir"
+                    return 0
+                fi
+            done
         done
     fi
-    return 1
+    1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH
+    exit 2
 }
 
 get_packages() {
@@ -65,6 +80,10 @@ get_packages() {
             roles="$(cat "$rolefile")"
             for role in $roles; do
                 rolepath="$(get_rolepath "$ostree_dir" "$role")"
+                if [ -z "$rolepath" ]; then
+                    1>&2 echo ERROR - could not find role "$role" - please use ANSIBLE_COLLECTIONS_PATH
+                    exit 2
+                fi
                 get_packages "$rolepath"
             done
         fi

meta/collection-requirements.yml

@@ -1,5 +1,4 @@
 ---
 collections:
   - name: ansible.posix
-  - name: ansible.utils
   - name: community.general

tasks/ensure_selinux_packages.yml

@@ -1,28 +1,24 @@
 ---
-- name: Ensure correct package manager for ostree systems
-  vars:
-    ostree_pkg_mgr: ansible.posix.rhel_rpm_ostree
-    ostree_booted_file: /run/ostree-booted
-  when: ansible_facts.pkg_mgr | d("") != ostree_pkg_mgr
+- name: Determine if system is ostree and set flag
+  when: not __selinux_is_ostree is defined
   block:
     - name: Check if system is ostree
       stat:
-        path: "{{ ostree_booted_file }}"
+        path: /run/ostree-booted
       register: __ostree_booted_stat
 
-    - name: Set package manager to use for ostree
-      ansible.utils.update_fact:
-        updates:
-          - path: ansible_facts.pkg_mgr
-            value: "{{ ostree_pkg_mgr }}"
-      when: __ostree_booted_stat.stat.exists
+    - name: Set flag to indicate system is ostree
+      set_fact:
+        __selinux_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 
 - name: Install SELinux python2 tools
   package:
     name:
       - libselinux-python
       - policycoreutils-python
     state: present
+    use: "{{ (__selinux_is_ostree | d(false)) |
+             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
   when: ansible_python_version is version('3', '<')
 
 - name: Install SELinux python3 tools
@@ -31,6 +27,8 @@
       - python3-libselinux
       - python3-policycoreutils
     state: present
+    use: "{{ (__selinux_is_ostree | d(false)) |
+             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
   when:
     - ansible_python_version is version('3', '>=')
     - ansible_os_family == "RedHat"
@@ -41,6 +39,8 @@
       - python3-selinux
       - python3-policycoreutils
     state: present
+    use: "{{ (__selinux_is_ostree | d(false)) |
+             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
   when:
     - ansible_python_version is version('3', '>=')
     - ansible_os_family == "Suse"
@@ -50,6 +50,8 @@
     name:
       - policycoreutils-python-utils
     state: present
+    use: "{{ (__selinux_is_ostree | d(false)) |
+             ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
   when: ansible_distribution == "Fedora" or
     (ansible_distribution_major_version | int > 7 and
      ansible_distribution in ["CentOS", "RedHat", "Rocky"])

tests/set_selinux_variables.yml

@@ -25,12 +25,16 @@
       package:
         name: selinux-policy-targeted
         state: present
+        use: "{{ (__selinux_is_ostree | d(false)) |
+                 ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
       when: __selinux_need_policy_targeted | d(false)
 
     - name: Ensure findmnt
       package:
         name: "{{ findmnt_pkg }}"
         state: present
+        use: "{{ (__selinux_is_ostree | d(false)) |
+                 ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
       when: __selinux_need_findmnt | d(false)
       vars:
         findmnt_pkg: "{{ 'util-linux-core'

tests/tests_selinux_modules_checksum.yml

@@ -26,8 +26,7 @@
           register: role_result
         - name: Get commit_num file
           set_fact:
-            commit_num_file: "{{
-              (ansible_facts.pkg_mgr == 'ansible.posix.rhel_rpm_ostree') |
+            commit_num_file: "{{ __selinux_is_ostree | d(false) |
               ternary('/etc/selinux/targeted/active/commit_num',
                       '/var/lib/selinux/targeted/active/commit_num') }}"
         - name: Get current commit_num