ci: add support for transactional update

README.md

@@ -198,6 +198,14 @@ supported policydb module version on target systems, i.e. on the oldest system.
 **Note:** Managing modules is idempotent only on Fedora, and EL 8.6 and later.
 You can manage modules on older releases, but it will not be idempotent.
 
+### selinux_transactional_update_reboot_ok
+
+This variable is used to handle reboots required by transactional updates. If a transactional update requires a reboot, the role will proceed with the reboot if selinux_transactional_update_reboot_ok is set to true. If set to false, the role will notify the user that a reboot is required, allowing for custom handling of the reboot requirement. If this variable is not set, the role will fail to ensure the reboot requirement is not overlooked.
+
+```yaml
+selinux_transactional_update_reboot_ok: true
+```
+
 ## Ansible Facts
 
 ### selinux_reboot_required

defaults/main.yml

@@ -1,6 +1,7 @@
 ---
 selinux_state: null
 selinux_policy: null
+selinux_transactional_update_reboot_ok: null
 
 # Set up empty lists for SELinux changes.
 selinux_booleans: []

tasks/ensure_selinux_packages.yml

@@ -11,6 +11,18 @@
       set_fact:
         __selinux_is_ostree: "{{ __ostree_booted_stat.stat.exists }}"
 
+- name: Determine if system is transactional update and set flag
+  when: not __selinux_is_transactional is defined
+  block:
+    - name: Check if transactional-update exists in /sbin
+      stat:
+        path: /sbin/transactional-update
+      register: __transactional_update_stat
+
+    - name: Set flag if transactional-update exists
+      set_fact:
+        __selinux_is_transactional: "{{ __transactional_update_stat.stat.exists }}"
+
 - name: Install SELinux python2 tools
   package:
     name:
@@ -44,6 +56,7 @@
   when:
     - ansible_python_version is version('3', '>=')
     - ansible_os_family == "Suse"
+  register: selinux_python3_tools_result
 
 - name: Install SELinux tool semanage
   package:
@@ -53,8 +66,33 @@
     use: "{{ (__selinux_is_ostree | d(false)) |
              ternary('ansible.posix.rhel_rpm_ostree', omit) }}"
   when: ansible_distribution == "Fedora" or
+    ansible_distribution == "SL-Micro" or
     (ansible_distribution_major_version | int > 7 and
      ansible_distribution in ["CentOS", "RedHat", "Rocky"])
+  register: selinux_semanage_result
+
+- name: Handle reboot for transactional update systems
+  when:
+    - __selinux_is_transactional | d(false)
+    - selinux_python3_tools_result is changed or
+      selinux_semanage_result is changed
+  block:
+    - name: Notify user that reboot is needed to apply changes
+      debug:
+        msg: >
+          Reboot required to apply changes due to transactional updates.
+
+    - name: Reboot transactional update systems
+      reboot:
+        msg: Rebooting the system to apply transactional update changes.
+      when: selinux_transactional_update_reboot_ok | bool
+
+    - name: Fail if reboot is needed and not set
+      fail:
+        msg: >
+          Reboot is required but not allowed. Please set 'selinux_transactional_update_reboot_ok' to proceed.
+      when:
+        - selinux_transactional_update_reboot_ok is none
 
 - name: Refresh facts
   setup:

vars/main.yml

@@ -18,5 +18,6 @@ __selinux_required_facts_subsets: "{{ ['!all', '!min'] +
   __selinux_required_facts }}"
 
 restorecon_threads: "{{ '-T 0' if ansible_distribution == 'Fedora' or
+  ansible_distribution == 'SL-Micro' or
   (ansible_distribution_major_version | int > 8 and
   ansible_distribution in ['CentOS', 'RedHat', 'Rocky']) else '' }}"