common: selinux tasks related refactor

This moves some task from the `ceph-nfs` role in `ceph-common` since
some of them are needed in `ceph-rgwloadbalancer` role.
This avoids duplicated tasks.

Signed-off-by: Guillaume Abrioux <gabrioux@redhat.com>
(cherry picked from commit d0442d81b9)

roles/ceph-common/tasks/main.yml

@@ -57,3 +57,10 @@
     - (ceph_tcmalloc_max_total_thread_cache | int) > 0
     - osd_objectstore == 'filestore'
     - (ceph_origin == 'repository' or ceph_origin == 'distro')
+
+- name: include selinux.yml
+  include_tasks: selinux.yml
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - inventory_hostname in groups.get(nfs_group_name, [])
+      or inventory_hostname in groups.get(rgwloadbalancer_group_name, [])

roles/ceph-common/tasks/selinux.yml

@@ -0,0 +1,22 @@
+---
+- name: if selinux is not disabled
+  when: ansible_facts['selinux']['status'] == 'enabled'
+  block:
+    - name: install policycoreutils-python
+      package:
+        name: policycoreutils-python
+        state: present
+      register: result
+      until: result is succeeded
+      when: ansible_facts['distribution_major_version'] == '7'
+
+    - name: install python3-policycoreutils on RHEL 8
+      package:
+        name: python3-policycoreutils
+        state: present
+      register: result
+      until: result is succeeded
+      when:
+        - inventory_hostname in groups.get(nfs_group_name, [])
+          or inventory_hostname in groups.get(rgwloadbalancer_group_name, [])
+        - ansible_facts['distribution_major_version'] == '8'

roles/ceph-nfs/tasks/ganesha_selinux_fix.yml

@@ -1,32 +0,0 @@
----
-- name: check if selinux is enabled
-  command: getenforce
-  register: selinuxstatus
-  changed_when: false
-  failed_when: false
-  check_mode: no
-
-- name: if selinux is not disable
-  when: selinuxstatus.stdout != 'Disabled'
-  block:
-    - name: install policycoreutils-python
-      package:
-        name: policycoreutils-python
-        state: present
-      register: result
-      until: result is succeeded
-      when: ansible_facts['distribution_major_version'] == '7'
-
-    - name: install nfs-ganesha-selinux and python3-policycoreutils on RHEL 8
-      package:
-        name: ['nfs-ganesha-selinux', 'python3-policycoreutils']
-        state: present
-      register: result
-      until: result is succeeded
-      when: ansible_facts['distribution_major_version'] == '8'
-
-    - name: add ganesha_t to permissive domain
-      selinux_permissive:
-        name: ganesha_t
-        permissive: true
-      failed_when: false

roles/ceph-nfs/tasks/main.yml

@@ -19,12 +19,28 @@
   import_tasks: create_rgw_nfs_user.yml
   when: groups.get(mon_group_name, []) | length > 0
 
+- name: install nfs-ganesha-selinux on RHEL 8
+  package:
+    name: nfs-ganesha-selinux
+    state: present
+  register: result
+  until: result is succeeded
+  when:
+    - not containerized_deployment | bool
+    - inventory_hostname in groups.get(nfs_group_name, [])
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['distribution_major_version'] == '8'
+
 # NOTE (leseb): workaround for issues with ganesha and librgw
-- name: include ganesha_selinux_fix.yml
+- name: add ganesha_t to permissive domain
-  import_tasks: ganesha_selinux_fix.yml
+  selinux_permissive:
+    name: ganesha_t
+    permissive: true
+  failed_when: false
   when:
     - not containerized_deployment | bool
     - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['selinux']['status'] == 'enabled'
 
 - name: nfs with external ceph cluster task related
   when:

roles/ceph-rgw-loadbalancer/tasks/pre_requisite.yml

@@ -35,7 +35,9 @@
     - restart keepalived
 
 - name: selinux related tasks
-  when: ansible_facts['os_family'] == 'RedHat'
+  when:
+    - ansible_facts['os_family'] == 'RedHat'
+    - ansible_facts['selinux']['status'] == 'enabled'
   block:
     - name: set_fact rgw_ports
       set_fact: